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Microsoft® System Center is a family of 
IT management solutions (including Operations 
Manager and Systems Management Server) 
designed to help you manage your mission- 
critical enterprise systems and applications. 

Nissan manages 56,500 PCs on three continents 
with System Center. That's big. See Nissan and 
other case studies at DesignedForBig.com 
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32 PowerShell 101, Lesson I 

In this practical lesson, our scripting expert walks you through the Get-Help 
cmdlet to get the information you need to create a Get-Content command 
that reads a file—a common administrative task. Along the way, you'll learn 
to apply the Get-Command and Get-Alias cmdlets. 

—ROBERT SHELDON 

33 IT PRO HERO 
PowerShell Empowerment 

Longtime scripter Alex Angelopoulos shows 
how Windows PowerShell can help remove the 
drudgery—and improve the speed—of performing 
systems management tasks. 

—ANNE GRUBB 



FEATURES 


39 Best Practices for Managing User Data and 
Settings, Part I 

Let's start with the server side of the equation by looking at the physical 
namespace, the SMB namespace, and the DFS namespace that will give you 
the most effective back end for effective UDS management, 

-DAN HOLME 
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45 Group Policy 
Essentials 
No Sys Admin 
Can Live Without 

Ensure that Group Policy delivers its powerful potential 
on your systems—here's a primer about how GPOs 
are processed, how permissions and filtering work, 
and how to do basic troubleshooting. 

—DARREN MAR-ELIA 

REQUIRED READING: SECURITY 

49 Windows Without Windows 

Windows Server 2008 introduces Server Core, which 
dispenses with the GUI for a leaner, more secure system. 
A few basic commands will get you going with this 
new OS version. 

—RUSSELL SMITH 


OFFICE & SHAREPOINT PRO 


Managing Microsoft Offico 2007 with 
Group Policy 

Take advantage of Administrative Templates and other new tools to set 
access and security policies for Office 2007 through Group Policy, 
—DARREN MAR-ELIA 



TRICKS & TRAPS 


15 Reader to Reader 

Move IE 7.0's toolbar under the menu bar, and use WMIC to determine whether 
hotfixes are installed. 


63 Ask the Experts 

Eind out what the Msocache folder is, learn how to use a command line to 
extract the contents of an MSI file, and discover how to control password 
caching in OMA. 



Read this article online at www.windowsitpro.com 

Groove Server 2007 Makes 
Online Collaboration Easier 

Groove Server 2007 offers useful tools for 
online collaboration, such as SharePoint 
access and synchronization, server backup and 
relay, discussion forums, and client-to-client 
synchronization, and you can manage it inhouse or 
via a hosted service. 

—J. PETER BRUZZESE 
InstantDoc ID 97700 


Access articles online at www.windowsitpro.com. Enter the article ID (located at the end of each article) 
in the InstantDoc ID text box on the home page. 
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Karen Forster 


IT Pro Perspective 

Whaf s Essential to Midsized Business? 

Microsoft's Windows Essential Business Server 
provides a simplified interface for setup, migration, 
and licensing in midsized companies. 
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Mark Minasi 


Windows Power Tools 
Manage Your EPS Keys with Cipher 

The Cipher command-line tool can help you get a 
handle on key management and recovery—essential 
to any EES user. 



Paul Thurrott 


Need to Know 
Windows Vista SPI 

Late adopter of Vista? In case you were waiting for 
Vista SPl, it's a traditional service pack—get the inside 
skinny on update and hotfix details from Paul. 



Top 10 

Features of Google Apps 

Google's Web-based suite of office applications 
provides email, calendaring, IM, document creation, 
and many other useful tools. 


PRODUCTS 


17 New & Improved 

Check out the latest products to 
hit the marketplace. 

PRODUCT SPOTLIGHT 
Infortrend's EonStor B12S-R/ 
G1030 SAS-to-SAS and B12F-R/ 
G1430 FC-to-SAS arrays 


18 REVIEW 

Paul’s Picks 

The IT pro's IT pro offers his 
review of Windows Server 2008 
RCl and Microsoft Office Live 
Workspace. 

—PAUL THURROTT 

18 REVIEW 

Lantronix 
SecureLinx Spider 

This scalable KVM-over-lP 
switch promises the ability to 
remotely manage geographically 
distributed IT equipment, but it 
comes up short in ease of use. 
—JOHN GREEN 

19 COMPARATIVE 
REVIEW 

2 Ways to Prevent 
Rogue Devices 
from Stealing 
Your Data 

This comparison of two endpoint- 
security products will give you 


a good idea of this increasingly 
important market and help you 
take back control of aU your 
vulnerable entry points. 

—ERIC B. RUX 
A Snapshot of the Endpoint 
Security Market. .20 

25 PRODUCT FEATURE 

A First Look at 
Windows Server 
2008 Hyper-V 

Take a tour through the new 
Windows Server 2008 Hyper-V 
technology. Get an overview 
of its microkernel architecture, 
learn how to install it, and get 
an early look at how it stacks 
up against the industry leader, 
VMware ESX Server. 
—MICHAEL OTEY 
Feature for Feature: VMware 
_ ESX Server vs. Mirrnsnft _ 

Hyper-V. . ^ 

29 BUYER’S GUIDE 
Exchange Server 
Archiving Software 

Email-archiving solutions can 
provide better performance for 
your mail servers and offer many 
different storage, search, and 
compliance options. This buyer's 
guide can help you choose the 
right email-archiving product for 
your organization. 

- — B. K. WINSTEAD - 




69 Readers Review 
Hot Products 

Straight talk from readers about 
the products they use: Lucid8 
DigiScope, Diskeeper 2008, and 
VMware Infrastructure 3. 
—JEFF JAMES 
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Antivirus Is Dead: A New Approach to 
Computer Protection 

A ccording to Australia’s Computer Emergency Response Team, the top-selling antivirus 
solutions let in 80 percent of all new malicious code. This white paper analyzes why 
the antivirus-software industry is in trouble, why antivirus software doesn’t work, and why 
the IT industry has failed to diagnose the problem of software viruses correctly. 

www.windowsitpro.com/go/Bit9/wp/avdead/?code=febcitc 

Enterprise Protection and an 
Affordable Price 

K eep your organization’s Exchange backup, recovery, and testing solutions down to 
one easy-to-configure integrated application. This white paper discusses continuous 
data protection solutions not only for organizations that are unable to utilize block-level 
protection, but also for SAN customers who want an alternative to expensive Exchange 
protection products. 

www.windowsitpro.com/go/wp/appassure/affordable/?code=febcitc 


Protect Yourself from 
Top Security Threats 

E nsure that your controls protect 
your data as they should. In 
a changing threat landscape that’s 
moving from minor operation disrup¬ 
tion to significant trust and reputation 
damage, technology needs to keep 
pace. View this Web seminar to learn 
the key techniques of successful 
data protection and discover how a 
multilayer security solution for criti¬ 
cal systems helps your organization 
prevent vulnerabilities. 

www.windowsitpro.com/ 

go/seminars/Symantec/ 

$C$P/?partnerref=febcitc 



Who Loves Ya, Baby? 

H ere in Loveland, Colorado (the hometown of 
Windows IT Pro and, apparently, love), Val¬ 
entine’s Day is a pretty big deal. Downtown, huge 
wooden hearts hang from street lights professing citi¬ 
zens’ undying love for their significant others. The town 
even hosts the national Valentine Remailing Program, which 
lets people from all over the country send their valentines to 
the Loveland post office to be stamped with a special lovey- 
dovey verse and sent on to their respective sweetie pies. 

I can’t say that I share Loveland’s excitement for February 
14. Personally, I think Valentine’s Day is so commercialized that 
it more exploits love than expresses it. And no candy-induced 
sugar high could make me think differently. So in this Febru¬ 
ary issue, needless to say, I’m not going to tell you that I care 
about you. Instead, I’ll show you by giving you what you love: 
easy tips and free tools. XOXO 


Favorite Links Forum 

Find the tool or solution you’ve been looking 
for in this peer-to-peer forum. Readers share 
resources, tips, discussions, and tools. 
www.windowsitpro.com/go/FavoriteLinksForum 


Totally Free Utilities 

Fill your troubleshooting toolkit with the great finds in Douglas 
Toombs’ “8 Absolutely Cool, Totally Free Utilities” and “8 More 
Absolutely Cool, Totally Free Utilities.” 

InstantDoc IDs 50122 and 96628 

For more resources, see my extended blog post at InstantDoc 
ID 97849 or just send me a message at christan.humphries® 
penton.com. 
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The Missing Link to IT Resources 


BY CHRISTAN HUMPHRIES 
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DELL+WINDOWS 
SERVER 2008 
A POWERFUL 
COMBINATION 


MAKE THE MOST OF WINDOWS SERVER 2008 

Microsoft® Windows Server® 2008 is ready to run the next generation 
of networks, applications, and Web services —but are you ready for it? 

Dell can help. We’ve worked closely with Microsoft during the development 
of Windows Server 2008, and have the expertise to get you up and 
running thanks to our Early Adopter Program. 

Plus, our assessment tools and services can help speed deployment 
time and ensure a seamless migration. With Dell, you can make the 
most of your next-generation operating system...today. 
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Special Operations Software™ 



Power your Active Directory 

to new heights 


Specops Comnnand 

PowerShell remoting 
through Group Policy 
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Specops Command 

1/1/e bring you the future of 
scripting, today! 


Specops Deploy™ 
Group Policy based 
Software Deployment 


Specops Inventory^ 
Group Policy based 
Asset Management 


Specops Password Policy^ 
For Multiple Password 
Policies in AD 


Active Directory Janitor 
Keeps your Active 
Directory clean 




”Psychotically Powerful” 


4 , 


Microsofi 

GOLD CERTIFIED 

Partner 


Security Solutions 
ISV/Software Solutions 


For more information about Specops Command and to download 
your FREE limited version or full trial version please go to: 

www.specopssoft.com/powershell 






IT Pro Perspective 


Whaf s Essential to Midsized Business? 

Windows Essential Business Server at the “Centro” of the SMB universe 


O ne of the many proverbs you often hear repeated 
at Microsoft goes something like, “We generally 
don't get things right the first time. But on the 
second or third try, we eventually kick our competitors' 
butts." Case in point: an integrated server product that's 
easy to deploy and manage and is aimed at simplifying IT 
infrastructure for medium-size companies (i.e., those with 
as many as 250 PCs). The first try in this area was Microsoft 
BackOffice Server in the mid-1990s. Microsoft bundled Win¬ 
dows NT Server 4.0, Microsoft Mail (MS Mail, the compa¬ 
ny's Messaging API—MAPI—mail server prior to Exchange 
Server), SQL Server 6.5, SNA Server (for connectivity with 
legacy IBM servers), and IIS 1.0, all on a single server. This 
software bundle was conceived to emulate the success of 

The heart of WEBS’s 
ease is the unified 
administration 
console. 

IBM's AS/400 midrange computers. Although BackOffice 
was highly successful, it was perceived as a threat to sales 
of some of its component products. BackOffice quietly went 
away after the BackOffice Server 2000 release (around the 
time when the US Department of lustice lawsuit caused 
Microsoft to officially expunge the word “bundle" from 
its vocabulary). However, Small Business Server (SBS), an 
“integrated suite" consisting of Windows Server, Exchange, 
Windows SharePoint Services (WSS), Windows Server 
Update Services (WSUS), and Microsoft's integrated fax 
service, persisted. This suite for environments with as many 
as 75 users became highly successful following the release 
based on Windows Server 2003. Honed and improved with 
each version, ease of use has been the key to SBS's success. 
In fact, SBS is so successful that it inspired a new midmarket 
suite, Windows Essential Business Server (WEBS—formerly 
code named Centro), which stirs memories of BackOffice 
Server and opens up the lucrative medium-size business 
market, with 1.4 million enterprises worldwide. 

The Essentials 

Currently in private beta and set for release in late 2008, 
WEBS targets companies with 25 to 250 PCs, 50 to 100 
employees, and 1 to 5 IT staff members. WEBS Standard 
Edition requires three physical 64-bit servers, one for each 

WWW. windowsitpro.com 


of its components—a management server to run Windows 
Server 2008 and System Center Essentials (SCE—clearly, 
someone at Microsoft loves the word “essentials"); a mes¬ 
saging server to run Exchange Server 2007 and Microsoft 
Eorefront Security for Exchange Server; and a security 
server to run the upcoming version of ISA Server and an 
Exchange 2007 gateway. If you buy WEBS Premium Edition, 
you also get SQL Server 2008. 

Like SBS, WEBS makes setting up and managing all the 
components easier than coordinating and licensing each 
product's implementation individually. The heart of that 
ease is the unified administration console, which you can 
access from within the network or remotely via VPN. This 
console is preconfigured with best practices for managing 
common IT workloads, including networking, security, col¬ 
laboration, and remote access. 

WEBS provides “new technologies that simplify license 
management." You get one WEBS CAL for all of its compo¬ 
nent products. Erom the admin console, you can determine 
how many licenses you have and to whom the licenses are 
assigned. And you can reassign licenses—for example, to 
replace an employee who left the company. 

Software and Hardware 

In addition to offering WEBS as an all-in-one software 
package that you can install on your own 64-bit machines, 
Microsoft is letting hardware partners produce WEBS appli¬ 
ances (analogous to Windows Storage Server or ISA Server 
appliances). Eujitsu Siemens, HP, and IBM will offer WEBS 
servers. Additionally, Microsoft's software partners can sell 
add-ins for the WEBS unified admin console. 

Getting FT Right 

It's too soon to tell whether Microsoft got WEBS right. 
But apparently, the company listened to feedback from 
SBS customers who wanted an upgrade path beyond the 
limitations of SBS. Also, Microsoft learned that a simplified 
interface for setup, migration, and licensing is important to 
IT organizations that don't have the luxury of specialists for 
areas such as messaging or database management. Similar 
to the management interface of Windows Home Server, the 
WEBS admin console does seem to be a step forward for 
busy IT generalists. 

I'm intrigued by WEBS. Will you try it when it's avail¬ 
able? Let me know what you think, and I'll incorporate your 
feedback into a future Hey Microsoft! column. 

InstantDoc ID 97896 
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How to Protect and Improve System Performance 

The Top Ten Points to Know about Fragmentation 


■ ^professionals are heroes of the workplace. Whether with cunning 
I I wit or a Phillip’s head screwdriver, they solve most any computer 
-L -M- emergency. However, keeping a computer running at top speed 
is usually preventative maintenance instead of last-minute, adrenaline- 
surging, virus-vaccinating heroics. 


Here are 10 key points to maintain peak 
performance across any network: 

1. The hard-disk is the slowest part 
of any system. 

Say you are operating a 2.5 GHz processor. 
That’s 2.5 billion operations every second. 

A large number of 
hard disks only spin 
at 7200 rotations per 
minute, or 120 cycles 
per second, or 120 
Hz. This means your 
CPU is more than 20 
million times faster 
than the hard disk. The hard disk still 
has mechanical components. Think Termina¬ 
tor 2®, when a mechanized Schwarzenegger 
is outclassed by the faster, smarter T-1000. 
When the slowest part of your computer 
is making unnecessary reads, the entire 
system is dragged down. 



defragmenting with Diskeeper boosts access 
to your most frequently used hies by as much 
as 80%. 1-FAAST gives systems faster-than- 
new speeds. 

5. Servers are especially susceptible. 

While disk striping improves physical 
I/O capacity and performance, RAID and 
SAN systems simply 
do not hx fragmenta¬ 
tion where it begins— 
at the hie system. 
Enormous volumes 
with heavy read/write 
activity lead to astro¬ 
nomical fragmentation 
rates, making RAID and SAN work harder 
than they should. The efficiency of RAID 
and SAN may lessen some of the physical 
effects of fragmentation, but fragmentation 
is never eliminated. You’ll need to buy more 



2.0, a technology that automatically defends 
against fragmentation of critical system hies. 
Frag Shield 2.0 prevents crash-inducing 
fragmentation. It’s like Superman® saving the 
day—two days before there’s a problem. 

9. Auto-defrag breathes life into systems. 

It keeps systems at optimum speeds 
and eliminates fragmentation-related per¬ 
formance issues. Thoroughly defragging 
systems adds 2-3 years onto the hardware’s 
useful life.^ 

10. Analyze your network’s performance. 

Poor performance on a remote system can 
easily be mistaken for a slow network. Get 
Disk Performance Analyzer for Networks™. 
This free utility scans networked systems 
for fragmentation. See for yourself how frag¬ 
mentation is affecting your systems. This 
groundbreaking program will provide com¬ 
prehensive reports on how system speeds 
will improve with thorough defragmenta¬ 
tion. Visit www.diskeeper.com/wll and get 
this free, must-have utility. 

Diskeeper 2008 is the only fully-automated 
defragmentation program. It operates invis¬ 
ibly in the background and it dynamically 


When systems are thoroughly defragmented, 
they run faster and more reliably—period. 


2. Fragmentation has severe effects. 

It’s more than sluggish and crawling 
computer speeds; fragmentation leads to 
crashes, hangs, data errors, hie corruption 
and boot-time failures. Files that suffer frag¬ 
mentation are more difficult and take longer 
to back up. When systems are thoroughly 
defragmented, they run faster and more 
reliably—period. 

3. Real-time defragmentation is necessary. 

Many companies rely on 24/7, mission- 
critical servers. Taking these systems offiine 
for maintenance is not an option. But, having 
a server with I/O bottlenecks is also not an 
option. Only real-time, invisible defragmen¬ 
tation hxes this catch-22 situation. 

4. Give your systems faster-than- 
new speeds. 

NTFS best-ht attempts for hie placement 
on hard drives are limited. Diskeeper® 2008 
comes with a new tech¬ 
nology called 1-FAAST™ 
(Intelligent File Access 
Acceleration Sequenc¬ 
ing Technology)^ that 
re-sequences your hies. 
So, in addition to con¬ 
solidating free space. 


and more equipment to compensate. Sooner 
or later, the tortoise catches the hare, and 
your system suffers I/O bottlenecks and slow 
server speeds. 

6. Operate without interrupting productivity. 

The new InvisiTasking™ technology makes 
software transparent. Diskeeper 2008 with 
InvisiTasking will work invisibly in the 
background; only usinguntapped resources. 
Systems are continually improved without 
any management or impact on a system’s 
usability. 

7. Defragment despite minimal free space. 

The purpose of defragmentation is to 
restore lost speed and performance. A defrag 
engine must be able to operate in limited free 
space because drives with extremely limited 
free space are the ones in need of the most 
help. Diskeeper 2008 handles millions of 
fragments and can function with as little as 
1% free space. 

8. Stop fragmentation before it happens. 

Diskeeper 2008 comes with Frag Shield™ 


adapts defragmentation strategies to ht the 
needs of individual volumes. With new 
defrag engines, Diskeeper 2008 restores 
performance on volumes with as little as 
1% free space. Get rid of slows, bottlenecks, 
and fragmentation-induced crashes. Visit 
www.diskeeper.com/w9 

^Available on Pro Premier, Server and EnterpriseServer editions, 

2See white paper at www,diskeeper,com/wpaper 


SPECIAL OFFER 


with InvisiTasking' 

Diskeeper 2008 

Maximizing Performance and Reiiabiiity— Automatically™ 

Try it FREE for 45 days! 

Download a free trial at 

www.diskeeper.com/w9 

(Note: Special 45-day trialware is 
only available at the above link) 

Volume licensing and Government/Education discounts are 
available by calling 800-829-6468, extension 4415, 



® Diskeeper Corporation, Aii Rights Reserved, Diskeeper, invisiTasking, Maximizing System Performance and Reiiabiiity—Automatically, Disk Performance Analyzer for Networks, Frag Shield, 
l-FAAST, and the Diskeeper Corporation logo are either registered trademarks or trademarks owned by Diskeeper Corporation in the United States and/or other countries. All other trademarks and brand 
corporation names are the property of the respective owners, Diskeeper Corporation • 7590 N, Glenoaks Blvd, Burbank, CA 91504 • 800-829-6468 • www.diskeeper.com 


















letters@windowsitpro.com 


Microsoft Asks: Who 
Are You? 

iVe been in IT since 1993, and that 
seems like an eternity some days. I 
work for a Microsoft Certified Part¬ 
ner that develops custom software. 
We're a Microsoft shop. I've spent 
10 years working for my current 
employer, so I would say I'm pretty 
familiar with the history of Micro¬ 
soft and IT. I find Microsoft wanting 
in many ways, mostly because the 
company continues to make my job 
difficult. 

In response to Karen Forster's 
editorial, "Microsoft Asks: Who Are 
You?" (December 2007, InstantDoc 
ID 97478) , I have to say I find no 
compelling reason to share any 
of my personal information with 
Microsoft. Maybe I'm just old and 
grouchy, but I don't see how cel¬ 
ebrating my ability to play the kazoo 
translates into helping me do my 
job. I have a firm grip on who I am 
and have never confused myself 
with my profession. Honestly, 
Microsoft's initiative seems like a 
marketing gimmick. If this kind of 
email message arrived at my com¬ 
pany, it would probably get tagged 
as spam. 

—Curt Hayes 

Custom Logon- 
Tracking Solution 
Insecure? 

The Custom Logon-Tracking Solu¬ 
tion [‘'Windows IT Pro Innovators 
Share Their Successes," November 
2007, InstantDoc I D 97204) struck 
me as rather insecure. Any time 
you have a shared Microsoft Access 
database that is writeable by large 
numbers of individuals, you have a 
potential nightmare. 

First, the logon script runs under 
the user's ID, which means he or she 
must have write access to the Access 
database. Nothing prevents the user 
from deleting, creating, and modi¬ 
fying records. Anyone with access 
can forge entries, purge entries, and 
otherwise modify records. Also, 
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Oops 

In “Paul’s Picks” 
(InstantDoc ID 
97410), Paul Thurrott 
mistakenly reported 
that Windows XP 
SP3 will include 
Microsoft Internet 
Explorer (IE) 7.0 
and Windows Media 
Player (WMP) II. 

SP3 will upgrade 
neither IE nor WMP. 


EDITOR’S 

NOTE 

Windows IT Pro welcomes 
feedback about the maga¬ 
zine. Send comments to 
letters@windowsitpro.com. 

and include your full name, 
email address, and daytime 
phone number. We edit all 
letters and replies for style, 
length, and claritv. 


depending on how administrators 
access the account-logging database, 
an even bigger vulnerability is pos¬ 
sible. In Access 2003, when I open 
.mdb files, the system warns me 
that if this .mdb file contains code 
intended to harm me, it can do so! 

If non-privileged users modify that 
.mdb file, opening it allows danger¬ 
ous Visual Basic for Applications 
(VBA) code to run. If administrators 
are careful and never open the .mdb 
file itself—and always interact with 
it through table links from another 
.mdb file—they're probably safe. If 
not, they're vulnerable. 

I'm no security guru, but I would 
suggest using a restricted SQL Server 
database instead of an .mdb file. 
Then, I'd create SQL Server stored 
procedures for creating the logon 
records and updating the logout 
time. Those stored procedures would 
use SQL Server functions to enu¬ 
merate the machine, the username 
(using integrated security), the logon 
time, and so on. I wouldn't be able 
to prevent people from trying to 
insert false data, but I'd know what 
account was used, what IP address 
they came from, 
and when it hap¬ 
pened (based on 
the server's clock). 

I'd also restrict the 
database growth 
size, set up alarm 
notifications, and so 
on. 

—Anonymous 

There are security 
vulnerabilities that 
could lead to prob¬ 
lems, especially if the solution is used 
to store mission-critical or highly 
sensitive data. In our case, the solu¬ 
tion was purely a tool for us to learn 
which computers were being used and 
to what extent. Even so, our Access 
database is stored on a separate share 
that is completely locked down with 
several layers of security, including 
firewalls, file permissions, and GPOs. 
Only administrators have rights to 


browse to the location, and only 
authenticated users on our domain 
have read/write access to the data¬ 
base. An authenticated user would 
have to know the exact path and 
filename of the database to even try 
to tamper with it. That information 
would be very difficult for our users— 
none of whom have local administra¬ 
tive rights—to obtain. Migrating the 
solution to a SQL Server database 
would certainly increase security, and 
I would strongly recommend that 
option if higher security is needed. 

—Brandon Jones 

IT as a Career 
Choice 

I read feff lames's article, "Win¬ 
dows IT Pro: A Good Career Choice 
for Your Kids?" (December 2007, 
InstantDoc ID 97408) . Maybe I just 
got lucky, but my son has been at 
a keyboard since he could sit up 
straight on his own. He spent his 
whole childhood tinkering with 
hardware to software and everything 
in between. I don't see the point of 
recommending or not 
recommending IT as a 
career choice for your 
kids. It's like being an 
artist: Either you can 
paint or you can't. 
Sure, you can go to 
school and learn how 
to paint. But that 
won't make you a 
great painter. 

I never recom¬ 
mended my son 
get into IT, but IT 
got into him from an 
early age. Too often, kids choose IT 
solely for the money. Bad decision. 

IT sucks unless you really, really like 
it. My son likes it. Right out of high 
school, he got a position with a high- 
profile social-networking site making 
the kind of money I started making 
only a few years ago. Life just isn't 
fair. ♦ 

—Scott Gutauckis 
InstantDoc ID 97859 
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What You Need to Know About... 

Windows Vista SPI 


M icrosoft has come clean on what exactly it 
intends to ship in Windows Vista SPl. Although 
some of the details are surprising, the most 
interesting aspect of this release is that Microsoft was right 
all along: Customers really don't need to wait for SPl to 
deploy Vista. That's because, with Vista SPl, the company 
is returning to a more traditional view of what a service pack 
is. Here's what you need to know about Vista SPl, which 
should be available around the time you read this. 

Back to Basics 

Although Microsoft halted the development of Vista to cre¬ 
ate Windows XP SP2 and imbued that release with a host of 
new features and functionality, most of which were security 
related, the software giant is using Vista's first service pack 
to return to its original plan for Windows service packs. 
That is, Vista SPl doesn't include any major new features. 
Instead, it's an aggregation of previously released fixes, 
though it does include some SPl-specific fixes and a few 
minor new features. 

The reasons for this change in service-pack 
philosophy are legion, but the important 
point is that Microsoft is responding to 
both the needs of customers and to a 
changing world. Today, most of the com¬ 
pany's customers are connected to the 
Internet, so Microsoft can deliver fixes 
and functional updates via its Microsoft 
Update and Automatic Update services, 
as well as related online services such as 
Windows Live. This pervasive connectivity 
gives consumers a way to get the most recent 
updates on a regular basis, and even the smallest cor¬ 
porate environments can use Microsoft and third-party 
deployment tools to control what gets pushed down to 
user desktops. 

Microsoft also uses its online updating technologies 
to deploy hardware and software compatibility updates to 
customers. This means that, over time, Vista's compatibil¬ 
ity is improving at a steady clip, so devices and applica¬ 
tions that might have had problems in late 2006 are likely 
working fine today. The company continues to maintain 
that Vista is the most compatible OS it's ever shipped 
and that Vista is getting better each month. 

In this new world, service packs are less cru¬ 
cial because customers don't have to wait for one 
to get important fixes and functional changes. But 
corporations that prefer to install updates in larger. 


single installations can still wait for service packs to obtain 
updates en masse. 

What’s Included in Vista SPl 

In "What You Need to Know About Instant Search Changes 
to Windows Vista SPl," September 2007, InstantDoc ID 
96602, 1 discussed the instant search changes that Micro¬ 
soft has implemented in Vista SPl in response to antitrust 
complaints from online giant Google. In addition to those 
changes, Microsoft will include the following in Vista SPl: 

Hotfix rollup. As in previous service packs, Vista SPl 
will include a rollup of previously released hotfixes, security 
fixes, and other updates. 

Performance, compatibility, and reliability fixes. Vista 
SPl will include many updates that improve the perfor¬ 
mance, compatibility, and reliability of the underlying 
system. Although some of these fixes were deployed via 
Microsoft Update to customers in August and October 
2007, SPl will also include some fixes that are unique to this 
service pack. 

Support for emerging hardware and stan¬ 
dards. With previous Windows versions, 
Microsoft would typically wait for a new 
Windows version before introducing 
new compatibility with emerging hard¬ 
ware and standards. But because of the 
lead time on the next Windows version, 
the company is addressing this need in 
SPl, which will add support for Wire- 
less-N networking hardware, the exFAT 
file system. Secure Digital (SD) advanced 
direct memory access (DMA), network boot for 
EFl-based x64 systems, the Secure Socket Tunneling 
Protocol (SSTP), and DirectX 10.1. 

Functional improvements. Microsoft is also 
making several small, functional changes. The Bit- 
Locker full-disk encryption feature is being updated so 
that it can automatically protect non-system disks, as 
per the version in Windows Server 2008. Disk Defrag¬ 
menter now includes a U1 for choosing which volumes 
are automatically defragmented. Local printing from 
Terminal Services has been improved, as has the Net¬ 
work Diagnostics tool. 

"Service Pack 1 doesn't change the Vista value 
proposition," Windows Client product 
manager Dave Zipkin told me 
in a recent briefing. 
"There's plumbing 
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Stuff, behind the walls... reliability stuff, based 
on Watson and online crash analysis data. We 
discovered where crashes were occurring in 
Vista. It turns out most of it was not in Micro¬ 
soft code usually. We work with our ecosystem 
partners to address these areas. We look at 
the top hitters—it's a huge tail—and move the 
dial. Sometimes this happens in standalone 
updates, while some [improvements] will wait 
for SPl." 

Realigning Client 
with Server 

One of the more interesting aspects of SPl is 
that the development of Vista and Server 2008 
is now being realigned. You might recall that 
these two products were developed in tandem 
through the release to manufacturing (RTM) 
version of Vista in November 2006. Since then, 
however, Microsoft has internally coordinated 
Vista SPl with Server 2008, so much so that 
these products will be finalized and released 
concurrently. Going forward, future Windows 
client and server service packs will also be 
aligned. So SP2 will apply to both Vista and 
Windows 2008 and will be the first Server 2008 
service pack. 

This realignment isn't done for marketing 
reasons. Internally, both Vista SPl and Server 
2008 utilize the same kernel and other core 
substructures. So it makes sense to develop the 
products together. That way, each can benefit 
from the unique improvements that are made 
to the other. 

What’s Missing in 
Vista SPl? 

One major feature that Microsoft previously 
promised for Vista SPl won't be making it 
into the update: offline updating, or the ability 
to drag and drop the SPl executable into an 
UPDATE folder in a Vista installation share 
and thus automatically slipstream or add that 
code to any future Vista installations. The good 
news, however, is that Microsoft is planning to 
make this capability available post-SPl. So any 
post-SPl hot-fixes and service packs should 
support offline updating. 

"Vista Service Pack 1 will not be able to 
be applied as an offline update to prestaged 
install images," Zipkin explained. "But this will 
work as planned with future update, post-SPl 
updates. We ran into some unexpected issues 
with the servicing stack, so we can't do it for 

12 Windows IT Pro FEBRUARY 2008 


SPl. But we're planning to add this capability 
for SP2, though we can't make any promises. 
This will be a bigger issue around SP2 than it 
is now. We think this is a one-time thing. But 
you can still make your own slipstream DVD 
using the old '-integrate' method as with XP if 
you want to." 

Deploying Vista SPl 

Because Vista SPl doesn't support offline 
updating, the deployment picture will look 
familiar to anyone who has deployed service 
packs for previous Windows versions. You 
simply purchase a new copy of Vista after SPl 


is released; you'll receive a version that has 
SPl slipstreamed in. Consumers and small 
businesses can download SPl via Windows 
Update: It will be a 51MB to 55MB download, 
according to Microsoft, depending on the sys¬ 
tem. Compare that to XP SP2, which weighed 
in at about 110MB because of its many func¬ 
tional changes. 

Administrators will typically want to down¬ 
load the standalone installer, which includes 
all 36 languages currently supported by Vista 
and works with any Vista disk. (There are 
separate x86 and x64 versions, actually.) The 
standalone installer will exceed 1GB in size. 

Microsoft's guidance for Vista SPl deploy¬ 
ments is no surprise: The company says that 
home users should install SPl as soon as the 
update appears on Windows Update. So, too, 
should the smallest, unmanaged businesses 
(i.e., those not on an Active Directory infra¬ 
structure). 

The arrival of SPl shouldn't change any¬ 
thing for Microsoft's corporate customers. "Our 
business customers already have the tools and 
guidance they need to deploy Vista," Zipkin 
said. "Some are waiting to deploy, but they can 
do some pre-SPl work to hit the ground run¬ 
ning. They can begin application compatibility 


testing on the SPl beta or Vista gold [RTM] 
code, as the compatibility picture isn't chang¬ 
ing. There are architectural changes moving 
from XP to Vista, but that's a remediation you 
will need to make with SPl too. There's no 
need to stall things because of SPl." 

Vista SPl’s Timing 

Microsoft says it will ship the final version 
of Vista SPl in first quarter 2008, alongside 
Server 2008 and about three months before 
the final XP service pack, SP3. Before that, the 
company will issue a broadly available, near¬ 
final version of the update via its MSDN and 


TechNet subscription services. This update 
will provide companies with a way to easily 
test the software before it's available in final 
form. 

Recommendations 

With Vista, Microsoft had hoped to persuade 
its corporate customers not to wait for the first 
service pack before deploying the system. Now 
that we finally know what the company will 
include in Vista SPl, Microsoft's advice sud¬ 
denly makes sense. Vista SPl doesn't dramati¬ 
cally alter the Vista experience, so there's no 
need to wait until SPl before deploying Vista. 
That said, if your Vista deployment plans call 
for rolling out the OS after first quarter 2008, 
there's no reason to step up the schedule 
because of SPl. There's simply nothing dra¬ 
matic here, and Vista SPl is what Microsoft 
service packs used to be like. That's a good 
thing for anyone who wished that the Windows 
client team at the software giant would take a 
page from the Windows Server playbook and 
proceed on a more measured and calm devel¬ 
opment path. With Vista SPl, it looks like that's 
exactly what's happening. 

InstantDoc ID 97687 


Microsoft had hoped to 

persuade its corporate customers not to 
wait for the first service pack before deploy¬ 
ing the system. Now that we finally know 
what the company will include in Vista SPl, 
Microsoft’s advice suddenly makes sense. 
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Meet Sunbelt Ninja Email Security: The award-winning all-in-one, best-of-breed, 
third-generation email security solution. Ninja is a plug-in framework that 
integrates best-of-breed antispam, antivirus, disclaimers and SMART attachment 
filtering on your Exchange server. 

Half the admin time: Independent research shows that Ninja requires one-half the IT 
time to manage than other comparable email management systems.* With its MMC 
interface. Ninja is easy to manage so you can get up and running in minutes vs. hours. 

Better multi-engine spam detection: 

Ninjas filtering decimates junk mail and 
image spam with both Cloudmark (which 
includes antiphishing) and Sunbelt’s own 
heuristics-based iHateSpam engines. Of 
course, it also supports RBLs and SPE 

Integrated multi-engine antivirus: Ninja 

combines the power of multiple 
high-quality AV engines. 

Great end-user control: The policy-based 
plug-in architecture allows you powerful, 
granular control. You can finally rule with 
an iron fist. 



SMART attachment filtering: Ninja features the first flexible policy-based attachment 
filter that isn’t fooled by extensions. It looks inside files to determine their true identity. 
Your policies decide what happens to all attachments. 


Download your evaluation copy at: 

www.sunbeltsoftware.com/ninjawinb 



Sunbelt Software 


Email sales@sunbeltsoftware.com or call 888-688-8457 
for your 50% discount competitive upgrade quote 


Sunbelt Software Tel: 1-888-688-8457 or 1-727-562-0101 Fax: 1 -727-562-5199 www.sunbeltsoftware.com sales@sunbeltsoftware.com 

The competitive upgrade is based on 50% of Ninja list price. 

® 2007-2008 Sunbelt Software. All rights reserved. Ninja Email Security and Suspicious Mail Attachment Removal Technology are trademarks of Sunbelt Software. All trademarks used are owned by their respective companies. 
*Based on Osterman Research report"Comparing Email Management Systems that Protect Against Spam, Viruses, Malware and Phishing Attacks". December 2006. 



























Reader to Reader 


Alex J. 
Szmutko IV 


Put IE 7.0’s Toolbar 
Back Where It 
Belongs 

One of the hardest changes to get 
used to in Microsoft Internet Explorer 
(IE) 7.0 is that the toolbar is located 
above the menu bar, as Eigure 1 
shows. Most people I 
spoke with dislike this 
arrangement so much 
that they use other 
browsers. However, 
you don't have to go to 
that extreme. Instead, 
you can make a registry 
tweak that puts the 
menu bar back on top. 

Here are the steps: 

1. Close out of IE 
7.0. 

2. Open the registry 

editor by selecting Run on the Start 
menu. In the Run dialog box, enter 
Regedit and click OK. 

3. Navigate to the following reg¬ 
istry key: HKEY_CURRENT_USER\ 
Software\Microsoft\Intemet 
Explorer\Toolbar\WebBrowser. 

4. Right-click somewhere in the 
right pane of the registry editor, select 
New, then choose DWORD Value. 

5. Enter ITBAR7Position as the 
name. 

6. Double-click that new value. In 
the Enter DWORD Value dialog box, 
enter the value of 1 in the Data value 
textbox and select the Decimal radio 
button. Click OK. 

7. Close the registry editor. 

Now if you open IE 7.0, you'll find 
that the toolbar is back where it 
belongs, as Eigure 2 shows. 

—Alex J. Szmutko IV, Network 
Administrator, Midwest Heart Specialists 

InstantDoc ID 97608 


Get Hotfix 
Information Quickly 
with WMIC 

There are dozens of different ways 
to find the hotfixes installed on 
computers, but the fastest and sim¬ 
plest way is to use a widely available 


tool named Windows Management 
Instrumentation Command-line 
(WMIC). With WMIC, getting the 
IDs of all the hotfixes installed on the 
local system can be done with this 
short command 

wmic qfe get 
Hotfixid 

If you aren't familiar 
with WMIC and want 
an even shorter com¬ 
mand to remember, 
you can cut the com¬ 
mand down to 



wmic qfe 


Besides displaying 
the IDs, this com¬ 
mand displays other 
details (e.g., hotfix 

name, hotfix installation date) about 
the installed hotfixes, which can be 
helpful. 

If you just need to determine 
whether a specific hotfix is installed, 
you can avoid searching through 
a long list of hotfixes by piping the 
wmic qfe command's output through 
the Eind command. Eor example, 
if you want to see whether hotfix 
938194 is installed on the local 
machine, you can run the command 

wmic qfe | find “938194” 

Note that you need to enclose the 
search string (in this case, 938194) in 
quotes. 

At this point, you might be won¬ 
dering what qfe is. In WMIC, you 
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use aliases such as qfe to specify the 
Windows Management Instrumenta¬ 
tion (WMI) class you're interested 
in retrieving information from. In 
WMIC, an alias is essentially a nick¬ 
name. lust like it's easier to remem¬ 
ber people's nicknames than their 
full names, it's easier to remember 
classes' aliases than their full names. 
Besides helping with familiarity, 
aliases reduce what you have to type 
on the command line and can help 
differentiate between classes with 
similar names. 

Although WMIC assumes that 
you're using aliases on the command 
line, you can use standard Windows 
Management Instrumentation (WMI) 
class paths instead. Eor example, qfe 
is the alias for WMI's Win32_Quick- 
EixEngineering class, therefore 

wmic qfe get Hotfixid 

is equivalent to 

wmic path win32_quickfixengineering 
get Hotfixid 

The path keyword that precedes the 
name of the WMI class tells WMIC 
that the path to a WMI class follows. 
So, if you don't know a particular 
WMIC alias for a WMI class, all you 
need to do is use the path keyword 
followed by the class's name. 

There are several reasons why I 
use WMIC for checking hotfixes. As 
I mentioned earlier, it's fast. You can 
type the entire command in an open 
command-prompt window more 
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Figure 1: The location of IE 7.0’s toolbar before the registry tweak 
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Figure 2: The location of IE 7.0’s toolbar after the registry tweak 
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Reader to Reader 


quickly than you can navigate to most pro¬ 
grams on the Windows Start menu. It's simple 
because you don't need to install special pro¬ 
grams to perform the query for you. Equally 
important; you can use it with virtually any 
Windows OS. Although WMIC has been 
around only since Windows XP, you can use 
WMIC's /node parameter to run the utility 
remotely against earlier Windows OSs, as long 
as those OSs are running WML For example, 
to check for hotfixes on a Windows NT 4.0 
system named LegacyHost that has the NT 
4.0 WMI extensions installed, you'd run the 
command 

wmic /node:Legacyhost qfe get Hotfixid 

There's another reason to use WMIC for get¬ 
ting hotfix information. If you don't already 
use WMIC, it gives you an opportunity to 
become familiar it, which has an immense 
long-term payoff: One tool is all you'll need to 
find out information about any WMI property 
on any system you're connected to. All you 
need to know is the property's name and the 


appropriate alias. For example, if you want 
the names of all the printers on the local sys¬ 
tem, you'd use the printer alias with the Name 
property in the command 

wmic printer get Name 

Need the CPU speed on the local machine? 
Simply run 

wmic cpu get CurrentCLockSpeed 

The built-in aliases that are available for use 
can differ depending on the OS you're using. 
For example, if you need to find the memory 
currently installed on a Windows XP com¬ 
puter, you'd need to use 

wmic memLogicaL get totatphysicatmemory 

But on a Windows Server 2008, Windows 
Vista, or Windows Server 2003 machine, the 
command would be 

wmic memorychip get Capacity 


On the Windows IT Pro Web site, you can 
download a Microsoft Excel spreadsheet 
that shows the differences between 
WMIC aliases on various OS versions. Go 
to www.windowsitpro.com/Windows/ 
Article/ArticleID/97781/97781.html and 
click the Download the Code Here button 
near the top of the page. The 97781.zip 
file that you download will contain the 
spreadsheet. 

For more detailed information about 
WMIC's options, you can check the built-in 
Help feature with one of the following 
commands: 

wmic /? 
wmic /?:fuLL 

Spending a little time learning about these 
options will pay off later when you need quick 
access to particular information about the 
systems you support. ^ 

—Alex K. Angelopoulos, 
Senior Network Engineer 

InstantDoc ID 97781 



Mihai has been working with computers for almost 20 years, 
since the Z80® days. Fluent in four languages, Mihai holds 
almost a dozen certifications, including the CISSP®. 

As a Security Analyst for a multi-national human resources 
solution provider, he manages over 600 Windows® servers 
across the enterprise and has to report to compliance 
auditors on a regular basis. Security, documentation, and 
server monitoring are his greatest concerns. 


"For several years, EventSentry has been critical 
in helping us monitor, archive and report our 
event logs for compliance. We also love the daily 
alerts and performance monitoring features." 


Mihai Petre uses EventSentry 
to monitor his server 
environment. 


AUTOMATED EVENT LOG MONITORING & CONSOLIDATION, SYSTEM HEALTH, 
ENVIRONMENT AND NETWORK MONITORING. IN ONE AFFORDABLE PRODUCT. 


Fully loaded 30-day trial. Visit www.eventsentry.com or call 1-877-638-4587 

© Copyright: 

All other trad 


le property of their respective owners. 


id States and/or other countries. 
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New & Improved 


EDITOR’S NOTE: Send new product announcements t o products@windowsitpro.com . 


Product Spotlight 



St:ora( 

External RAID Disk Storage 


RAID hardware developer Infortrend has announced the EonStor BI2S-R/ 
GI030 SAS-to-SAS and the BI2F-R/GI430 FC-to-SAS arrays, the first prod¬ 
ucts in a line of small form factor RAID systems. These RAID units utilize 2.5- 
inch drives, which are significantly smaller than traditional drives. Infortrend 
claims that the reduced size of the new systems translates into less power 
consumption and improved cooling, which leads to additional cost savings. 

“The new BI2 SFF arrays have all the advantages of 3.5-inch SAS systems,” 
says Alex Young, technical and marketing director for Infortrend. “With our fifth 
generation ASIC400 and support for RAID5 and RAID6, storage managers will 
benefit from the advantages of a smaller form factor without compromising on 
data protection and reliability.” For more information, contact Infortrend at 408- 
988-5088 or visit www.infortrend.com. 


Storage 

Continuous Data Protection 

Marathon Technologies has announced 
everRun CDP, a new continuous data 
protection product. Part of the everRun 
product family, everRun CDP provides 
continuous data protection by monitoring, 
capturing, and replicating network data in 
real-time, and across disparate parts of 
the IT infrastructure. Data can be recov¬ 
ered from any point by selecting a date 
and time that you would like to see the 
data restored to. EverRun CDP provides 
specific application support for Microsoft 
Exchange, SQL Server, and SharePoint, 
and works with common network and 
storage environments. For more informa¬ 
tion, contact Marathon Technologies at 
888-682-1142 or visit www.marathon 
technologies.com. 

Virtualization 

Easily Run Server Software 
in a Windows Environment 

The new JumpBox virtual appliance 
allows IT pros to install server-based utili¬ 
ties and applications into self-contained 
virtual machines called JumpBoxes. 

Using a JumpBox, admins can install and 
begin using complex multi-user server 


software—such as Trac, Joomla!, and 
Redmine—much faster than using tradi¬ 
tional installation methods. JumpBoxes 
are managed using a web-based inter¬ 
face, and JumpBoxes area available for 
dozens of server applications. An online 
testing area (called the proving grounds) 
allows users to test JumpBoxes before 


using them in their own environment. For 
more information, contact JumpBox at 
480-967-5897 or visi t www.jumpbox.com. 

C ommunications 

Send and Receive Faxes via 
Email and SMS 

Aloaha Software has announced Aloaha 
FAX Suite, an enterprise fax server. The 
software can send and receive faxes 
and SMS messages via email, and works 
with any mail server (including Microsoft 
Exchange) that supports SMTP/P0P3. 
The product also supports Active Direc¬ 
tory and LDAP servers, and organizations 
without a mail server can use Aloaha 
FAX Suite’s fax server software. It also 
includes support for Citrix and terminal 
services, and runs on Windows Server 
2008, Server 2003, Windows Vista and 
Windows XP. For more information, con¬ 
tact Aloaha Software at 212-599-7400 or 
visi t www.aloaha.com . ^ 

InstantDoc ID 97794 



Microsoft Exchange 

Auditing and Email Management 


GFI has released GFI Mai I Archiver 5, a software- 
based email archiving solution for Microsoft 
Exchange Server. Focusing on the small-to-mid- 
sized business (SMB) market, GFI aims to provide 
a cost-effective solution with an easy-to-use inter¬ 
face. End users can access archived mail at any 
time through a Web browser and can restore items 
to their mailbox with the click of a button. The new version, 
which is compatible with Exchange 2007, introduces improved PST 
migration tools and administrator auditing functionality to help with compliance 
and guarantee that archived messages aren’t altered. For more information about 
GFI MailArchiver 5, contact GFI at 888-243-4329 or visit www.gfi.com. 
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Lantronix SecureLinx Spicier 


SUMMARY 


Lantronix SecureLinx Spider 


PROS:; Slfifile-system tiniT acataWe as 

pawencd by atTacbecf syslBrili 
tiruwBfir-based Jsva console parmiTs eaay 
implemenTatian 

CONSl a varicly of coflcorns—irvcludifig video 
and mnuaa synchronizaHnn pjobSems—mud¬ 
dle the UEsr aKpermnee 
HATINCr 
PRICE: $495 

RECaMMENDATIDN Although lha Spider 
ia wprkahle. I doh't reeammeod it, You want 
a remolt console estpeHence ihai's clean and 
haESlo fraa—no! whal I exparksnead iit my Inals, 
CDMTACT: Landronix * www.lBnIfonix.com ■ 


800-422-7055 


L antronix'g SecufoLinx line erf KVlWl awitches allows 
ramole contrd of both Infel-baaod and Maclntoeh 
computers cvief standard IP-based networks, indepen¬ 
dent of the computerg' OS, I tegted the SecuretJnx 
Spidor, a sin^^o-syotam KVM-ovor-IP unit that'e unk^ua 
in its design, requiring no rack space; ifs lightweight 
enough to hang from the hack of a sygtem. The Spicfer 
caacada-able, allowing many Spidar unlla to shara a 
single Ethernet port. 

The Spider does provide the convenience of 
browser-based roinote control of boat computers. 
Using it, I was able To connect To a remote system and 
complete typical operations there. Unfortunately, how¬ 
ever, my overall expaHonco wasn't idoal. In my tasting. 

I encoynlered lags in screen updates, inconsistent 
mouse operation, and fgatures that didn't wod«. 
consistantly. 

You can configure the Spider and control the 
attached computer through one of two interfaceg; a 
Web Interface and SpiderVlew, a GUI that requires Windows XP and ActiveX support. SpiderVlew is 
primarily an administrative tool, letting you discover Spader devices on the network, and includes a 
wizard to guide you throu^ the device's initial configuration. SpiderView abo includes e remete con¬ 
trol inlorface. 

The Spider’s embedded Web server and Java applets provide access to its full compleinent of 
features and configuration options. Remote control through the Web interface requires that the cli- 
snl run a Java Runtime Environment (JRE). I lasted the PS2 version of the Spider with a variety of 
setup and remote control configurations. I found that some options worked much better than others. 

Mouse support for the PS2 modei is configurable between USB and PS2 compatibility- You 
should avoid tho PS2 mode; Ln my tests, tho Indicated mouse poinlor frequently lost synchroniza¬ 
tion with the host system's mouse pointer location. Fortunately, newer systems support USB mouse 
devices, and configuring the Spider to use this option worked fairly weN- 

Media redimetion Is an inlereslir^ Spider-suppoiled feature, ietling tho nemoto systom use data 
present on your local computer or a network share. This capability ts handy when you don’t find it con¬ 
venient tc map to a network share frTjrn the rempte system- From the Virtual k/ledia menu of the Spi¬ 
der s embedded Web site. Spider will mount a diskette image file (up to 1.44MB) as an addilional 
read-only disk drive. Similarly, Spider will present a CDH=tOM image file (up to SODMB) pres- 
erit on e Windows Common InTemet Rle Sysferri (CIFS) share to the host system as a 
drive tetter. 

The Spider's user experience wasn't quite as clean as I lioped for. 
Although more than adequate, the video refresh wasnT the fastest I've 
seen. I was also a bit annoyed that I needed to keep my browser 
window to The Spider’s Web interface open to maintain the 
Java congole window. Overall. I find it difficult to recommend 
this unit. Considering that administrators generally do much 
of their work from one or two workstations, a full-featured, 
performance-optimized remote control client—with support 
for rapid connection to and switching among your usual 
servers—would be a big improvement. Considering the 
Spider's per-server price, I don't think that's too much 
to ask. 

^John Green 
In^tinFDnc ICrSTTSS 
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far mam afaraga 

Micrasali Ofliac Livt 
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WAYS TO PREVENT 
ROGUE DEVICES FROM 


THESE PRODUCTS 
PROMISE TO SECURE 
YOUR SYSTEMS’ MANY 
ENTRY POINTS 


M any >'eai5 ago, lEsei^' unfy access to com- 

paii^'dajtaoecurri^iiifou^idujnbtc^iliial^ [ 
to a malnti'ame. The data iB&lded safel^^ [n 
the data ccnier, and (he onJy ivhv it might 
phyi^caUy leave ihm data ccitcer wm on leel-Da^ieel 
rape or laige, he®fy hard drives. By contrast, tDda)^''s users have multiple 
access pointstocumpany data— fur example, USB drives^ floppy drh'Kjy 
and even bufiiahle CD/DVD drives. Dishonest empEn^reescan easUy use 
these points of access lo steal sensitive data. lf^'ou\'e considered blast¬ 
ing your users' USB pons wth hot you aren't alone, Bttt perhaps 
liiere^s a mi>re elpg^ snlntlnn ai^Elahte loyou. 

The two products I im'esti^te in this coniparative retiew—Smart- 
Line's Devicel jjcjk and (ZontrolGuard's Lndpoint Access Manager— ran 
help you take hack conuol of all those ^'ulnerable acet^s pahiis. Vve 
fotnjsed on only hvo representatiw prodnets here, but keep in mind 


SmartLine DeviceLoch 


PROS: Vaa can iisa a G^D tq cojitigura 
Earrings tor securing USa and tathwar sDcass 
polnls; product Is Tlglilly Integraled with AD 
but doesn't require schema updates 

com. Ths thrsB aspBrate manageriHril -con- 

Ediis tan ha dduifusingr Eupport silA is sub^ar 

RATING: 

PRICE: $35 per PC; volume discounia 
avslFable 

RECOMMENDATION: if you slreacty ubb 

Group Pdiii^ axtanaivaly and wuiddi like to 
control ondpoliiia via GPO. Drnicdjock ccmos 
highly recorttmendod. 


nent artd (he consoles. 
At first, these options 
look the same, but as 
you can see, one is the 
DeviceLock 
and the other is the 
server prodticl. The 
^st option Is seleeted 
by defoulE, leading to 
my conhiston. 

Aecording to the 
DeviceLock Man- 


StTMMAItV 


that other opdons are available, including htnedonaJity^ that Mkrusoft 
iiitrodijced En Whidntvs XT' SP^—see die sidebar "A v^na|ishoE of (he 
Endpoiiil Securittr Marked page^, for more intbimallon. 


uaJ PDF gtiide, the 
“DeviceLock Service 
should be Installed on 


CONTACT: SmanLinc ■ www.deviceitH^ 
.com ■ aBB-eea-se^s 


Smartline DeviceLock 

DeviceLock Security's installation starts ™th the execution of a typical 
setupLCxe Qle. However, [ rnund (he ijisiaUatiori a hit conruslng. The 
installation wizard has two main opnons to choose bx>m; Use the Service 
+ Consoles option to install the DeviceLock service and management 
con^es^ or u.^ (he Server+Con^dles opiioo lo liv^taU ihe sender compo 


the computer so you 

can conLrol dte access to de^lcetii on that compuierr Is die DeviceLock 
Service required on the management server? I called the company to 
ask for clarihcationr A friendly technician explained that the service is 
necessary^ only if you want to protect USB and other endpoltit!^ on the 
servec Otherwise, you can skip the service Enstalladon on the server and 
deploy ft fust to the user's PCr I find it a bit odd that the service is selected 
hy deEauli^ but apparciidy Itb pnwlded as a cmivenlCEice. 
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There's also a Custom option. I used this 
method to install the service and the server. 
The optional DeviceLock Enterprise Server 
component—which requires a SQL Server 
back end—allows for the centralized collec¬ 
tion and storage of shadow data and audit 
logs. If you have a SQL Server infrastructure, 
ControlGuard recommends that you use that. 
If you don't have SQL Server available, the PDF 
manual provides a direct link for downloading 
SQL Server 2005 Express. 

After the installation was complete, 1 was 
presented with three separate consoles on the 
desktop: DeviceLock Management Console 
(a Microsoft Management Console—MMC— 
snap-in), DeviceLock Service Settings Editor 
(similar to the new tools that DeviceLock adds 
to Group Policy), and DeviceLock Enterprise 
Manager (recommended if you have a large 
network without Active Directory—AD). These 
consoles were a bit overwhelming, combined 
with the product's promise of Group Policy 
integration. 

To keep things initially simple, 1 started with 
DeviceLock Enterprise Manager and remotely 
installed the DeviceLock Service onto my test XP 
machine. As 1 expected, the service wasn't able 
to install because the XP SP2 firewall was block¬ 
ing it. The DeviceLock Manual provides detailed 
instructions for either opening the XP firewall 
with the necessary ports or setting a specific 
port for all DeviceLock communication. 1 used 
Group Policy to configure 
the XP firewall, and 1 was 
able to install the service 
remotely. 

The DeviceLock Ser¬ 
vice is also available in an 
MSI format, so you can 
install it through Group 
Policy or SMS. 1 highly 
recommend a structured 
AD with hierarchal orga¬ 
nizational units (OUs), in 
which users and comput¬ 
ers are taken out of the 
default containers. This 
setup helps you orga¬ 
nize and find user and 
computer leaf objects, 
and makes Group Pol¬ 
icy deployment much 
easier.. 1 would place 
a policy at the highest 
All Computers OU, then 
deploy the DeviceLock 


imPUDIOmiE 

iNDPOINT 

MiUirf 



W hile researching products to include in this comparative review, we found five vendors 
that offer enterprise-level software for securing endpoints such as USB ports, CD/DVD 
drives, and so on. Although only two vendors chose to participate in the review, we mention the 
others here for the purposes of completeness. 

• DriveLock (www.drivelock.com) 

• FullArmor Endpoint Policy Manager (www.fullarmor.com) 

• GFI Endpoint (www.gfi.com) 

• GuardianEdge Removable Storage Encryption (www.guardianedge.com) 

In addition, Microsoft added functionality in Windows XP SP2, with which you can make USB 
devices Read Only. My original intention was to provide a detailed comparison of this feature with 
the features of the two products in the main review. However, the XP SP2 option amounts to a 
simple registry entry and doesn’t offer any of DeviceLock’s or Endpoint Access Manager’s advanced 
features. At any rate, you can find more information about the XP SP2 functionality in John Savill’s 
FAQ article, “How can I mark my USB storage devices as read-only?” (InstantDoc ID 44380) . 

InstantDoc ID 97811 


Service from there. There isn't a built-in 
automated method to deploy the client agent 
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Figure 1: DeviceLock’s smooth integration with your existing GPOs 
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(as the ControlGuard product offers), so 1 had 
to set up my own way to ensure that all desk¬ 
tops had the DeviceLock 
agent installed as soon 
as they were added to 
the domain. To do this, 
1 applied a Group Policy 
to an OU containing all 
the users' computers. 
Now, every time 1 add a 
computer to the domain, 
the client software is 
installed automatically. 
Figure 1 shows Device- 
Lock's smooth integra¬ 
tion with your existing 
GPOs. 

After 1 verified that 
the DeviceLock agent 
was running (it runs as 
a typical NT service), I 
used DeviceLock Enter¬ 
prise Manager to deploy 
my first policy. This 
simple process lets you 
select specific AD users 

www.windowsitpro.com 








































.INFRASTRUCTURE LOG 

_DAY 82: There are so many risks out there. Traffic spikes, 
natural disasters, mergers. How do we prepare? One in three 
companies don’t recover from unplanned downtime.' Would we? 

_Gil wrapped everything with bubble wrap. Just to be safe. 

_DAY 83: I’m preparing with IBM Business Resilience 
Solutions. IBM Business Continuity Services help us 
assess our risks and design a proactive plan to deal with 
them. IBM Tivoli gives us the visibility to diagnose and 
fix infrastructure problems. And the robust availability 
features of the IBM System p™ give us maximum uptime. 

_No more bubble wrap. And I have to mail a package. Great. 



0 






Tivoli 


Take the business continuity assessment at: 

IBM.COM/TAKEBACKCONTROL/READY 




^Source: “Business Continuity Unwrapped,” Continuity Central, 2006, www.continuitycentral.com/feature0358.htm . IBM, the IBM logo. System p. Take Back Control and Tivoli are trademarks or 
registered trademarks of International Business Machines Corporation in the United States and/or other countries. ©2007 IBM Corporation. All rights reserved. 
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SUMMARY 


ControlGuard Endpoint Access 
Manager 

PROS: Automatically installs the client agent 
as new PCs are added to AD; excellent cen¬ 
tralized administration tool 

CONS: Support site is sub-par 

RATING: ♦♦♦♦O 

PRICE: $25 per PC (includes first-year 
maintenance) 

RECOMMENDATION: if you prefer a 
simple console and want to ensure that the 
agent is installed as soon as the PC is added 
to the domain, ControlGuard gets an equally 
high recommendation. 

CONTACT: ControlGuard • 
www.controlguard.com • 908-203 4685 


or groups, the date and time those users or 
groups are permitted to access the device, 
and even the specific user rights (i.e.. Read, 
Write, Format, Eject) allowed for each device. 
You can secure not only USB ports but also 
Bluetooth ports, CD/DVD drives, FireWire 
ports, floppy drives, hard disks, infrared (IR) 
ports, parallel ports, removable devices, serial 
ports, tape drives, Wi-Fi access points (APs), 
and Windows Mobile devices. When you 
think of points of access, USB is probably the 
first type that comes to mind, but data can be 
compromised from many entry points. For a 
listing of endpoints that DeviceLock protects, 
see Table 1. 

As soon as 1 attempted to access a USB 
device on the XP client, a dialog box imme¬ 
diately informed me that access was denied. 
1 tried to find a way around the policy but was 
thwarted at every attempt. 1 even tried to stop 
the DeviceLock service, but the Stop button 
was disabled. 

Integrating DeviceLock management with 
Group Policy is a brilliant idea. After using 
DeviceLock Enterprise Manager to play around 
with policies, 1 decided to deploy a policy using 
a Group Policy Object (GPO). Opening a new 
GPO brings up a new addition called SmartL- 
line DeviceLock—not a simple administrative 
(ADM) template but a fully functional GUI that 
looks and feels just like the aforementioned 
DeviceLock Service Settings Editor. Using this 
screen, 1 was able to deploy endpoint security 
settings to users' computers just as 1 had done 
through DeviceLock Enterprise Manager. If 
you already have structured AD and Group 
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Policy management procedures in place, 1 
highly recommend that you use this method 
to deploy the settings. 

As you apply policies to secure endpoints, 
it can quickly become difficult to determine a 
given PC's actual settings. Because DeviceLock 
is heavily integrated with AD and Group Policy, 
it can take advantage of Microsoft's Resultant 
Set Of Policy (RSOP) tool. 

ControlGuard Endpoint 
Access Manager 

Like DeviceLock, Endpoint Access Man¬ 
ager requires either Microsoft SQL Server or 
SQL Server 2005 Express. If you have neither 
installed, the setup wizard adds and configures 
SQL Server 2005 Express for you—a nice touch 
that simplifies installation. 

While installing the product, 1 noticed that 
its Installation Guide PDF file doesn't follow 
the wizard exactly. This inconsistency didn't 
throw me off too much, but it was frustrating 
to see that the documentation hadn't been 
updated to coincide with the actual product. 

During installation, 1 missed the fact that 
Endpoint Access Manager requires Microsoft 
IIS, so setup paused with the standard Abort, 
Retry, or Ignore dialog box. 1 left the message 
onscreen and installed IIS through the Control 
Panel Add or Remove Programs applet. 1 was 
then able to click Retry, and the Endpoint 


Access Manager installation continued. The 
installation could have easily bombed out 
because 1 didn't have a prerequisite in place, 
but 1 was pleased that it let me continue. 

The product then prompted me to create 
a new database. You can choose No and set 
up the database yourself, but 1 decided to let 
the installation wizard do it for me. The wizard 
asked for the connection information to the 
SQL Server database. This information filled 
in automatically, so all 1 had to do was click 
Create. 

After the installation was complete, 1 dou¬ 
ble-clicked the ControlGuard Administration 
Console desktop icon and the software pre¬ 
sented me with logon dialog box. The Instal¬ 
lation Guide gave me the initial username 
or password that 1 needed to log on. You can 
easily change the password from within the 
administration console. The first time you start 
the console, a wizard walks you through the 
configuration process. The User Manual also 
provides a nice workflow that shows you how 
to get everything up and running. 

The first step in the wizard is to set up 
directory collaboration with Endpoint Access 
Manager. 1 tested this functionality only with 
Windows Server 2003 AD, but NT domains and 
Novell eDirectories domains are also options. 
The purpose of AD integration is to let you 
create logical groups of computers to manage 
based on OUs you already have in AD. 
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.INFRASTRUCTURE LOG 


_DAY 84: Feeling really disconnected. WeVe not getting 
the most out of our existing assets. Service and 
application integration is a nightmare. WeVe got to 
stop working on these islands. 

.Please rescue me from this lack of connectivity. 

.DAY 87: WeVe saved! With IBM WebSphere solutions we 
can service-enable and connect our existing assets for 
mission-critical goals. Now we can reuse existing 
applications and save money by eliminating redundant 
systems. WeVe ready for any SOA integration project. 

.Plus, no more jellyfish stings. 



WebSphere. 


Download the enterprise service bus white paper at: ^ 

IBM.COM/TAKEBACKCONTROL/CONNECT 



IBM, the IBM logo, WebSphere and Take Back Control are trademarks or registered trademarks of International Business Machines Corporation in the United States and/or other countries 
©2007 IBM Corporation. All rights reserved. 
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The next step is to add the computers to 
which you want to apply the settings. If you 
have your computers segregated into OUs, this 
step will be simple. For example, if your OU 
structure contains two OUs called Managers 
and Ops Floor beneath All Computers, it would 
be easy to deploy the policies to just those two 
separate OUs and not to the other servers or 
domain controllers (DCs). 

Endpoint Access Manager uses a certificate 
to ensure that the server and client are com¬ 
municating with the correct machines. The 
certificate has to live in the \system32 folder 
under C:\windows on each client machine. 
You can copy the certificate manually or use 
the included MSI Updater to insert the certifi¬ 
cate into the MSI installation file. Adding the 
certificate is simple. If you want, you can also 
update the .msi file with some initial policies. 
Doing so helps ensure that all your new PCs are 
secured as soon as their computer accounts 
are added to the domain. 

Before you can send out a policy to secure 
endpoints, you need to install the agent onto 
each PC. The typical methods are available 
(i.e., setup.exe file, batch script. Group Policy), 
but what sets Endpoint Access Manager apart 
is its "on-the-fiy distribution." This feature 
installs the client onto all network computers 
almost immediately. After you start the End¬ 
point Access Manager AD Synchronization 
service, you can set it to synchronize with 


Table 1: 

Comparing the Endpoints 
that Each Product Protects 

DeviceLock 

Endpoint Access Manager 

Bluetooth 

Bluetooth 

CD/DVD 

CD/DVD 

Floppy 

Floppy 

FireWire 

FireWire 

IR 

IR 

Wi-Fi 

Wi-Fi 

Parallel 

Parallel 

Removable 

Removable 

Serial 

Serial 

USB 

USB 

Windows Mobile Windoes CE 

Tape 

Printing 

Hard Disk 

Imaging 

RIM 

PCMCIA 

Palm 


AD every x minutes. (I set it to 5 minutes.) 
Now, every time a computer is added to AD, 
the ControlGuard Endpoint Access Manager 
Service is automatically installed onto the new 
machine. What I like about this method is that 
it's totally hands-off for the administrator. You 
have enough to worry about without having to 
manage the installation of the Endpoint Access 
Manager client! 

I waited a few minutes for the client to 
install, but nothing happened. The XP firewall 
log indicated that the Endpoint Access Man¬ 
ager server was trying to connect to the XP 
client through port 135.1 opened that port, but 
the client still wouldn't install. The deployment 
event log within the ControlGuard Admin¬ 
istration Console indicated that I needed to 
fix the security or WMI settings on the XP 
client. I couldn't find any documentation that 
described which ports needed to be opened 
for the client to install, and the Support Page 
at ControlGuard's Web site appeared to be 
down for reorganization. To continue with 
my testing, I decided to simply shut off the 
XP firewall. The client then installed in a few 
minutes. This documentation oversight needs 
to be addressed soon. 

The final step is to create Access Control 
Lists (ACLs) that define which devices can 
and can't be used on a computer. I called my 
first ACL total lockdown and proceeded to lock 
everything—removable storage, floppy drives, 
Bluetooth ports, printer ports. Eigure 2 shows 
the ACL Editor. Endpoint Access Manager can 
lock down the same devices as DeviceLock, 
but also adds protection for Palm OS devices, 
Windows CE devices. Research in Motion 
(RIM) devices, and printers, as you see in Table 
1. When I logged in as a normal user on the XP 
PC, I was immediately denied access to my 
USB thumb drive. 

As I mentioned earlier, DeviceLock's tight 
integration with Group Policy lets it use the 
RSOP tool to determine which security set¬ 
tings will apply to a given user or PC. Endpoint 
Access Manager doesn't have the same inte¬ 
gration. Instead, it uses a tool called the ACL 
Simulator. You simply add the name of the 
computer and the name of the user or group 
to which the policy will apply, then click Cal¬ 
culate. This functionality is no better or worse 
than that of the RSOP tool—just different. 

Make Your Choice 

Both SmartLine and ControlGuard offer excep¬ 


tional products that can help you get a handle 
on rogue devices that can potentially steal your 
company data. Endpoint Access Manager has 
the simplest interface of the two and offers all 
its tools on one handy screen. I also valued 
the Endpoint Access Manager AD Synchro¬ 
nization service, which ensures that all new 
computers added to the AD domain have the 
ControlGuard Endpoint Service installed and 
running. 

Both products support the use of white lists 
(ControlGuard calls its list an Approved Device 
List). This feature lets you permit certain 
devices based on users, computers, devices, 
or vendors. Eor example, suppose you want 
to disable the USB port for all devices except a 
mobile Internet card. This feature lets you cre¬ 
ate a blanket policy that disables the USB port 
yet permits this one special device. 

DeviceLock hits a home run with its Group 
Policy integration. This functionality lets you 
install and configure the client service in one 
place. The management tools do get a little 
busy until you get comfortable with the pur¬ 
pose of each one. 

After you've secured your network's end¬ 
points, you'll probably want to generate a 
report either for auditing purposes or for 
confirmation that you've set everything up 
correctly. Endpoint Access Manager offers 
extremely detailed reports via a Web page. (Eor 
that reason, IIS is required during the initial 
installation.) DeviceLock has its reporting 
built directly into the DeviceLock Enterprise 
Manager, which lets you make policy changes 
directly from the report. Eor example, if the 
report shows that the floppy drive is accessible 
to everyone when it shouldn't be, you can 
right-click that particular endpoint and make 
the necessary security changes immediately. 

Neither vendor has a great support Web 
site. I expected to see more than a few EAQs 
and would have liked to browse each com¬ 
pany's Knowledge Base (KB) articles. This 
lack of detailed support was by far my biggest 
disappointment while reviewing these two 
products. 
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A FIRST LOOK AT 

WINDOWS 
SERVER 2008 



Can Microsoft level the virtual playing field held by VMware ESX Server? 



BY MICHAEL OTEY 

irtualization is one of today's hottest IT technologies, and 
Windows Server 2008's new native virtualization feature, 
Hyper-y is a significant new competitor that has the potential 
to change the market. VMware ESX Server is the current mar¬ 
ket favorite. To make an informed decision about Hyper-V, you 
need to understand how the architectures of the two products 
compare. In addition, Hyper-V introduces some important new 
features, and you'll want to 


see how Hyper-V and the 
older Virtual Server 2005 R2 
relate to each other. Finally, to 
enrich your understanding of 
Hyper-V I'll show you how to set 
it up and use it. 


Prerequisites for 
Hyper-V 

Unlike Microsoft's Virtual Server 
2005 R2, which runs on both 
32-bit and 64-bit systems, Hyper-V 
requires an x64-based system that 
has either Intel-VT or AMD-V sup¬ 
port. In addition, the host system's 
CPU must have data execution 
protection enabled (the Intel XD 
bit or the AMD NX bit). Microsoft 
will provide Hyper-V virtualization 


Parent Partition 


technology with the following versions of the Windows Server 2008. 

• Server 2008, Standard: $999 with five Client Access Licenses (CALs) 

• Server 2008, Enterprise: $3,999 with 25 CALs 

• Server 2008, Datacenter: $2,999 per processor 

Like the Windows Server 2003 R2, Enterprise and Datacenter Edi¬ 
tions, the Server 2008, Enterprise Edition allows up to four virtual 


Child Partitions 



_ 
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Applications 


Non hypervisor 
aware OS 


Applications User Mode 


Xen-enabled 
Linux Kernel | Linux 
I VSCs 

^yper^ai^dapt^^^^l 


Kernel Mode 


Windows Server hypervisor 
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Figure 1: Overview of Server 2008 Hyper-V architecture 
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Windows instances with no additional licens¬ 
ing costs, and Server 2008 Datacenter Edition 
allows an unlimited number of virtual Win¬ 
dows instances with no additional licensing 
costs. You can use Hyper-V with both the full 
Server 2008 installation, or with Server Core 
for any of the Server 2008 editions. In addition 
Microsoft will offer a standalone version called 
Hyper-V Server for $29. 

Windows Server Hyper-V 
Architecture 

Designed to compete with VMware's ESX 
Server, Hyper-V has been built from scratch 
based on a new microkernel architecture. Fig¬ 
ure 1, page 25, shows an overview of the new 
Server 2008 Hyper-V architecture. For a quick 
comparison of ESX Server and Hyper-V, see 
the sidebar "Feature for Feature: VMware ESX 
Server vs. Microsoft Hyper-V" 

Unlike Virtual Server's hosted virtualization 
model, which requires installing the virtualiza¬ 
tion software on top of a host OS, Hyper-V is 
a virtualization layer that runs directly on the 
system hardware with no intervening host OS. 
The Hyper-V architecture consists of the bare 


metal microkernel hypervisor and parent and 
child partitions. 

All Hyper-V implementations have one 
parent partition. This partition manages the 
Hyper-V installation. The Windows Server 
Virtualization console runs from the parent 
partition. In addition, the parent partition is 
used to run thread-supported legacy hardware 
emulation virtual machines (VMs). These 
older emulation-based VMs are essentially 
the same as the VMs that run under a hosted 
virtualization product such as Virtual Server. 

Guest VMs run on Hyper-V child partitions. 
Hyper-V's child partitions support two types of 
VM: high performance VMBus-based VMs or 
hosted emulation VMs. VMBus VMs include 
Windows Server 2003, Windows Vista, Server 
2008, and Xen-enabled Linux. The new VMBus 
architecture is essentially a high performance 
in-memory pipeline that connects Virtual¬ 
ization Service Clients (VSCs) in the guests 
with the host's Virtual Service Provider (VSP). 
Hosted emulation VMs support guest OSs that 
don't support the new VMBus architecture. 
These OSs include, Windows NT, Windows 
2000, and non-Xen enabled Linux, like SUSE 
Linux Server Enterprise 10. 


Hyper-V and Virtual Server 

Server 2008 Hyper-V introduces capabilities 
that aren't available with Virtual Server 2005 
R2. Running exclusively on the x64 platform, 
Hyper-V supports host systems with up to 1TB 
of RAM, and Hyper-V doesn't limit the number 
of active VMs; the only limitation comes from 
the capabilities of the host server hardware. In 
addition, the Hyper-V VMs are more scalable 
than Virtual Server VMs. Hyper-V supports 
both 32-bit and 64-bit guest OSs. Not only can 
guest VMs take advantage of Hyper-V's higher 
performing VMBus architecture, but guest 
VMs also can use more RAM and CPU than 
Virtual Server offers. Virtual Server 2005 R2 
has no support for virtual SMP and is limited 
to 3.6GB of RAM per VM. Hyper-V supports up 
to 4 virtual processors per VM and up to 32GB 
of RAM per VM. To take full advantage of this 
support, the host system must have at least 4 
cores and more than 32GB of physical RAM. 

Hyper-V provides new storage features. 
Storage Area Network (SAN) support lets 
you boot VMs and implement guest-to-guest 
failover clustering, as well as virtual server host 
failover clustering. Hyper-V also introduces the 
pass-through VM access storage feature. With 


FEATURE FOR FEATURE: 

VMware ESX Server vs. Microsoft Hyper-V 

V Mware’s ESX Server leads the market in enterprise-level virtualization. It will be an uphill climb for Microsoft’s Hyper-V to catch up. ESX Server 
has the track record, but Hyper-V’s feature set, discussed in this article and listed in Table A, definitely puts it in the running. Being included 
with Windows Server 2008 makes Hyper-V’s price compelling, particularly to mid-sized and small organizations. Table A shows a feature comparison 
of ESX Server 3.0 and Server 2008 Hyper-V. 

Both virtualization products are hypervisor-based. However, one big difference is that the ESX Server has a heavyweight hypervisor that contains 
device drivers. In contrast, Microsoft has a thin hypervisor that contains no drivers and no third-party code. Hyper-V’s device drivers are in the guest 


OSs. Hyper-V’s thin hypervisor layer makes it more 

efficient and more secure than ESX Server, because Table A: Comparing ESX Server and Hyper-V Features 


it contains no third-party code. Both products support 

Feature 

VMware ESX Server 

Windows Server Hyper-V 

32-bit and 64-bit guest OSs. ESX Server supports more 
RAM per VM but is limited to 128 active VMs (which is 

Hypervisor 

32-bit heavyweight 
hypervisor with drivers 

64-bit microkernel hypervisor 
drivers in guests 

probably enough for anyone) versus Hyper-V’s unlim- 

32-bit host support 

Yes 

No 

ited number of active VMs. One area where VMware 

64-bit host support 

Yes 

Yes 

still leads is in support for Live Migration (moving 

32-bit VMs 

Yes 

Yes 

running VMs from one host to another). Hyper-V does 

64-bit VMs 

Yes 

Yes 

not support Live Migration, but, when coupled with 

Maximum host CPUs 

32 

32 

System Center for Virtual Machine Manager, it allows 

Maximum host RAM 

128GB 

ITB 

what Microsoft calls Quick Migration-quickly saving 

Guest SMPs 

4 

4 

the state of a running VM and then moving that VM 

Maximum RAM per VM 

64GB 

32GB 

and saved state to another host. 

Live migration 

Yes (with version 13) 

No 

InstantDoc ID 97858 

Number of VMs 

128 

Unlimited 
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Hyper-V, you can access virtual 
hard disk (VHD) images without 
mounting the VHD image in a 
running VM. Hyper-V can also take 
advantage of Volume Shadow Copy 
Service (VSS) for live VM backup. 
On the networking side, Hyper-V 
includes a new virtual switch with 
support for Windows Network 
Load Balancing (NLB) across VMs 
on separate servers. In addition, 
Hyper-V allows multiple snapshots 
of running VMs with the ability 
to revert back to any of the saved 
snapshots. 


Installing Hyper-V 

Hyper-V is not installed in Server 
2008 by default. To install Hyper-V, 
you use the Server 2008 Server Manager. Click 
Start, Programs, Administrative Tools, and 
then select the Server Manager option. In 
Server Manager, add the virtualization role 
by clicking Add Roles, which displays the Add 
Roles Wizard shown in Figure 2. 

In the Add Roles Wizard, check the V\^dows 
Server virtualization role. Then click Next and 
step through the wizard's screens to learn about 
and configure Hyper-V The wizard first explains 
that you might need to configure your BIOS for 
virtualization support, and it provides links to 
AAfindows Server Virtualization Online Help files. 
Next, the wizard prompts you for the Local Area 
Connections that you want to associate with 
your virtual networks. By default, the wizard 
creates one virtual network for each physical 
network adapter that's installed. Next, you're 
asked to confirm your selections and prompted 
to restart your system. 

AMD-V systems have virtualization sup¬ 
port enabled by default. In contrast, if your 
system uses Intel-VT virtualization, check your 
system's BIOS configuration during the boot 
process and make sure that virtualization is 
enabled. For systems with Intel motherboards, 
press F2 during the boot process to see the 
BIOS configuration. You can set the Enable VT 
option to enable virtualization support in the 
processor. 

After the system reboots, the Resume Con¬ 
figuration Wizard screen appears. Use it to 
finish installing the Windows Server Virtual¬ 
ization role. The new Windows Server Virtu¬ 
alization role will then be listed under Server 
Manager's installed roles node. 
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Figure 2: Installing the Windows Server Virtualization role 


Hyper-Vs Management 
Console 

After the virtualization role is installed, you're 
ready to fire-up some new VMs. Unlike Virtual 
Server 2005 R2, which you manage through 
a Web-based console, Hyper-V is managed 
through a Microsoft Management Console 
(MMC) 3.0-based Windows GUI. You start 
Hyper-V's Virtualization Management Con¬ 
sole by clicking Start, Administrative Tools, 
and then selecting Windows Virtualization 
Management. Figure 3 shows the Hyper-V 
management console. 

You can manage multiple Hyper-V server 
instances in the management console's left 
pane. Selecting a server instance displays that 
server's VMs in the center Virtual Machines 
pane. You can manage the VMs by right- 
clicking them and selecting from among the 


following commands on 
the context menu: 

• Connect-Allows you to 
connect to a running 
VM, which starts the Vir¬ 
tual Machine 
Connection window 

• Settings-Enables you to 
edit the VM properties 

• Turn Off-Powers down 
the VM 

• Revert-Applies a saved 
snapshot to the VM 
returning it to prior 
saved state 

• Shut Down-Shuts down 
the VM's guest OS 

• Save State-Saves the 
current state as a run¬ 
ning VM 

* Pause-Halts the execution of a VM 

* Snapshot-Saves a snapshot of the current 
VM state 


Use the Actions pane on the right side of the 
Virtualization Management Console to per¬ 
form common actions such creating new VMs, 
editing VM properties, editing virtual hard 
disk configurations, starting and stopping the 
virtualization service, and removing servers 
from the console. 


Use the Wizard to Create 
and Migrate VMs 

Creating VMs is easy using Hyper-V's New 
Virtual Machine Wizard. To start the wizard, 
click New in the Virtualization Management 
Console Action pane. 
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Figure 3: The Virtualization Management Console 
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Figure 4: The New Virtual Machine Wizard 


As Figure 4 shows, the first screen prompts 
you for the VM name and the location where 
the VM will be created. By default, Hyper-V 
creates new VMs in the C:\ProgramData\ 
Microsoft\Windows\Virtualization directory. 
To change the default location, you can use Vir¬ 
tualization Settings in the Virtualization Man¬ 
agement Console. Next the wizard prompts 
you for the amount of memory allocated to the 
VM. The default value is 256MB, but you can 
allocate from 8MB to 32MB of RAM per VM 
(limited by your system's physical RAM). 

Next, the wizard asks you about networking 
the VM. You can choose no network or select 
a virtual network. The wizard created virtual 
networks when you first added the virtualiza¬ 
tion role. To create virtual networks, you can 
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also use Virtual Network Switch Management 
in the Virtualization Management Console. 
You can configure the virtual network switch to 
allow internal networking so that VMs can con¬ 
nect with other VMs or to the Windows Server 
host. You also can create a virtual network that 
connects to one or more of the host's physical 
network adapters for external network con¬ 
nectivity. 

The New Virtual Machine Wizard gives you 
the option of creating a VHD, connecting to 
an existing VHD, or attaching to a VHD later. 
By default, VHDs are created in the C:\Users\ 
Public\Documents\Virtual Hard Disks direc¬ 
tory. To change this default directory, you can 
use Virtualization Setting in the Virtualization 
Management Console. Hyper-V uses the same 
on-disk VHD format as Virtual Server 2005 R2. 
This common format makes it easy to migrate 
existing Virtual Server 2005 R2 and Virtual PC 
VMs to Server 2008 Hyper-V: Select the option 
to use an existing VHD and then provide the 
wizard with the path to the VHD file. This 
attaches the existing VHD to the new Hyper-V 
VM. If you chose to use a new VHD, then the 
next screen offers OS installation options. You 
can install the OS later or install the OS from 
either the host's CD/DVD drive or from an ISO 
image file. The last screen presented by the 
wizard prompts you to confirm your VM con¬ 
figuration settings. Finishing the wizard creates 
the new VM automatically. You have the option 
to start it right away or you can manually start 
it later. 

After a VM is created you have the option 
to install the new Integration Services on the 



guest. (Before you install Integration Services 
it's a good idea to uninstall the Virtual Server 
R2 Tools; Integration Services replaces the 
older Virtual Machine Additions.) Integration 
Services provides improved mouse support 
and host time synchronization. You can install 
Integration Services on the guest OS by start¬ 
ing a Virtual Machine Connection from the 
Virtualization Management Console. From 
the Virtual Machine Connection Action menu, 
choose Insert Integration Services Disk. In 
using the new Hyper-V VM, 1 definitely noted 
the brisk performance for the running VMs. 


What’s Neict for Hyper-V? 

Microsoft shipped a beta version of Hyper-V 
in December. A prerelease version of Hyper-V 
will ship with the initial release of Server 2008. 
Microsoft has stated that the final Hyper-V 
code will ship within 180 days of the Windows 
Server 2008 release to manufacturing (RTM). 
The final Hyper-V code will be released via 
Windows Update, so you won't need to go 
through additional downloads or installation 
processes to get the RTM Hyper-V code. 

Microsoft's Hyper-V is an evolution¬ 
ary technology that can complement or go 
beyond the virtualization approach of Virtual 
Server 2005 R2. Hyper-V's new microkernel, 
hypervisor-based solution delivers better per¬ 
formance, more features and functionality, 
and improved scalability over Virtual Server 
2005 R2. These advances level the playing field 
with VMware's market leader, ESX Server. The 
fact that Server 2008 introduces Windows- 
native virtualization in the form of Hyper-V 
is sure to drive the adoption of virtualization 
in organizations of all sizes. And Hyper-V will 
help drive the adoption of Server 2008. The 
price and easy accessibility make moving to 
Hyper-V virtualization especially attractive 
for small and medium businesses (SMBs). 
Plus ESX Server's more difficult Linux-style 
administration and higher price deters many 
SMBs. For more information about Windows 
Server Hyper-V, see the Learning Path that 
accompanies this article. 
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Exchange Server Archiving Seftware 

Products that provide better mail server performance and increase user productivity 


S everal years ago, the Windows IT Pro editorial 
department received a discovery request from a law 
firm for our records of email communications with a 
particular company. The editorial department fretted over 
how to identify what those email messages were, never 
mind recover them all, in the limited amount of time pro¬ 
vided. Fortunately, the law firm dropped the request a few 
days later—hut the experience left everyone here wonder¬ 
ing how to handle such a situation if it happened again. 

Email-archiving products are geared toward making 
situations like this one easier to deal with. Such products 
are designed to let messaging administrators or even end 
users easily retrieve specific email items, such as messages, 
appointments, or attachments—based on any number of 
criteria. This buyer's guide looks at software solutions for 
Microsoft Exchange Server email archiving. There are many 
email-archiving products worth investigating, so let's take 
a look at some things you need to know to make the best 
choice for your organization. And don't forget to peruse the 
buyer's guide table to see howyour favorite email-archiving 
vendors stack up against one another. 

A Backup Isn’t an Archive 

Most companies back up their entire network infrastruc¬ 
ture regularly, including the Exchange server and all 
its databases. Such backups are intended primarily for 
disaster-recovery situations and typically rely on tape for 
storage. Recovering individual items from such backups is 
time-consuming if not downright prohibitive. 

The benefit of an email archive is that you can recover 
anything fi-om one accidentally deleted message to an entire 
mail database—a flexibility that simply isn't part of a tradi¬ 
tional backup. Although an email archive can be used as part 
of a disaster-recovery scenario, its primary uses are to provide 
better performance for your mail servers and—the really big 
one—to comply with legal requirements or requests. 

Saving Your Server 

The importance of email for business communication 
places a serious load on your infrastructure—particularly 
your email server. Many end users treat their email client 
as a sort of all-purpose filing cabinet. Unless the company 
imposes a quota on email storage, users are likely to keep 
stuffing email messages into different folders until the 
server is choking on them. 

You can think of an email-archiving solution as a Heimlich 
maneuver for your mail server, ready to expel the cause of 


the choking. Many archiving software products will remove 
the original message fi-om your Exchange server, fi-eeing up 
important space. Some solutions will even leave a stub in 
the user's mailbox with the introductory parts of the message 
and a link to the full text in the archive; if you want to read the 
entire message, the product retrieves it at your request. 

You should also consider how the product handles 
email attachments. Attachments should be part of the 
email archive, but do you need the software to index them 
so that they can be searched? If security is a factor for you, 
you might want the archive to be encrypted. And if you're 
budget-conscious, you might want a solution that provides 
compression and single-instance storage. 

Email archiving can also be part of a business continu¬ 
ity plan. Beyond the obvious disaster-recovery scenario, 
consider what you'd do if a key employee were to leave 
your organization suddenly. With an email archive, you 
could pull that employee's correspondence to ensure that 
important data isn't lost in the transition. 

Complying with 
Security Regulations 

The driving force for most organizations implementing an 
email-archiving solution is the need to comply with particular 
regulations or to be prepared for a legal investigation. A big 
feature to consider is whether the product can create litiga¬ 
tion holds, which are rules of retention for specific items that 
override the normal retention of the archive. And, if you find 
yourself in a particularly litigious field, you might need the 
product to be able to establish multiple overlapping holds on 
data as well. In addition to retention, you need to be able to 
find specific items to answer discovery requests, so pay atten¬ 
tion to what type of search capability each solution offers. 

Also, some security regulations dictate how data is 
archived. Eor instance, the Sarbanes-Oxley (SOX) Act 
requires you to maintain data integrity for the entire reten¬ 
tion period, and the Securities and Exchange Commission 
(SEC) Rule 17a-4 requires you to store data on unalterable 
media, such as WORM storage media, which lets you write 
data to a disc only once, but read the data many times. 

These general guidelines and the attached buyer's 
guide table should get your search for an email-archiving 
software solution off to a great start. If you're already using 
one of these products, or you have another email-archiving 
product you'd like to recommend, visit our Exchange & 
Outlook forums at forums.windowsitpro.com to tell your 
fellow admins what works and what doesn't. 
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Company 

Product 

Price 

Exchange 

Installs on Storage 




Versions 

Exchange 




Supported 

Server, Separate 





Server, or 





Either? 







Location (e.g., 
local server, 
remote server) 

Offline Storage 
Option (e.g., tape, 

DVD) 

Single- 

Instance 

Storage 

Compressed/ 

Encrypted 

Attachments: Saved 
or Compressed 

Removes 

Messages 
from Email 

Server 

AXS-One 

800-828-7660 

www.axsone.com 

AXS-One 

Compliance 

Platform 

Contact 

vendor 

Exchange 

2007/2003 

Separate server 

Local and remote 

Yes 

Yes 

Yes/Yes 

Saved, compressed, 
and single instance 

Yes, with stubs 

C2C 

413-739-8575 

www.c2c.com 

Archive One 

Starts at $20 
per user 

Exchange 

2007/2003/ 

2000 

Separate server 

Local and remote 

Yes 

Yes 

Yes/Yes 

Saved and com¬ 
pressed 

Yes, with stubs 

CommVault 

888-746-3849 

732-870-4000 

www.commvault.com 

CommVault 

Data Archiver 
for Exchange 

Starts at less 
than $10,000 
for up to 150 
mailboxes 

Exchange 

2007/2003/ 

2000 

Either, includes 
cluster support 

Local, remote, and 
virtual 

Tape, disk, opti¬ 
cal, and content 
addressed storage 
(CAS) 

Yes 

Yes/Yes 

Saved and com¬ 
pressed 

Yes, with stubs 

GFI Software 

888-243-4329 

919-379-3397 

www.gfi.com 

GFI 

MailArchiver 
for Exchange 

Starts at $675 
for 25 mail¬ 
boxes 

Exchange 

2007/2003/ 

2000 

Either 

Local, remote 
(SAN/NAS), or 

SQL Server 

SQL Server data¬ 
bases on read-only 
media 

Yes 

Yes/No 

Saved and com¬ 
pressed 

No 

H&S Software 

888-473-7024 

www.hs-soft.com/ 

exchange@PAM 

exchange® 

PAM 

Starts at 
$2,000 

Exchange 

2007/2003/ 

2000/5.5 

Either 

Local and remote 

All major types 
(i.e., SAN, NAS, 
disk, tape, DVD, 
Jukebox, RAID) 

Yes 

Yes/Yes 

Saved and com¬ 
pressed 

Yes, with stubs 

Lighthouse Global 

Technologies 

800-930-4079 

203-625-6650 

www.lighthousegt.com 

E-Trail Digital 
Archive Suite 

Starts at 
$8,000 

All 

Either 

Any 

DVD 

Yes 

Yes/Yes 

Saved and com¬ 
pressed 

Yes, with stubs 

Mimosa Systems 

408-970-9070 

www.mimosasystems 

.com 

Mimosa 

NearPoint 

for Microsoft 

Exchange 

Server 

Contact 

vendor 

Exchange 

2007/2003/ 

2000 

Separate server 

Remote 

Disk 

Yes 

Yes/Yes 

Saved, compressed, 
and de-duplicated 

Yes, with stubs 

Open Text 
800-499-6544 

5I9-888-7III 

www.opentext.com 

Livelink 

ECM - Email 
Archiving for 
Microsoft 
Exchange 

About 

$l2-$40 per 
seat 

Exchange 

2007/2003/ 

2000 

Separate server 

Remote 

All standard opti¬ 
cal media and 
Jukebox vendors, 
SAN, CAS, and 

NAS systems 

Yes 

Yes/Yes 

Saved and com¬ 
pressed 

Yes, with stubs 


Livelink 

ECM - Email 
Management 
for Microsoft 
Exchange 

About 

$32-$IOO per 
seat 

Exchange 

2007/2003/ 

2000 

Separate server 

Remote 

All standard opti¬ 
cal media and 
Jukebox vendors, 
SAN, CAS, and 

NAS systems 

Yes 

Yes/Yes 

Saved and com¬ 
pressed 

Yes, with stubs 

Quest Software 

800-306-9329 

949-754-8000 

www.quest.com 

Archive 

Manager 

$40 per 
mailbox 

Exchange 

2007/2003/ 

2000/5.5 

Separate server 

Local or remote 

Yes 

Yes 

No/No 

Saved and com¬ 
pressed 

Yes, with stubs 

Sherpa Software 
800-255-5155 

412-206-0005 

www.sherpasoftware 

.com 

Archive 

Attender for 
Exchange 

$6-$l6 per 
user 

Exchange 

2007/2003/ 

2000/5.5 

Either 

Any browsable 
Universal Naming 
Convention (UNO)/ 
network path 

Yes 

Yes 

Yes/No 

Saved and com¬ 
pressed 

Yes, with optional 
and customizable 

stubs 

Sunbelt Software 

888-688-8457 

727-562-0101 

www.sunbeltsoftware 

.com 

Sunbelt 

Exchange 

Archiver 

$40.00 per 
mailbox for 25 

users with a 
sliding scale 
discount 

Exchange 

2007/2003/ 

2000 

Either 

Local or remote 

Yes 

Yes 

Yes/Yes 

Saved and com¬ 
pressed 

Yes, with stubs 

Symantec 

800-745-6054 

www.symantec.com 

Enterprise 

Vault 

Starts at 
about $34 per 
user 

Exchange 

2007/2003/ 

2000/5.5 

Separate server 

DAS, NAS, SAN, 
WORM, and others 

Yes 

Yes 

Yes/Yes 

Saved and com¬ 
pressed 

Yes, with stubs 

Waterford 

Technologies 

949-428-9300 

www.waterford 

technologies.com 

MailMeter 

Archive 

$12 per 
mailbox 
(1,000 users) 

Exchange 

2007/2003/ 

2000/5.5 

Separate server 

Local storage or 
SAN/NAS 

Tape or DVD 

Yes 

Yes/Yes 

Saved and com¬ 
pressed 

No, but removes 
attachments, 
leaving a stub 

ZyLAB 

866-995-2262 

703-448-1420 

www.zylab.com 

ZylMAGE 

Exchange 

Connector 

Starts at 
$9,995 for 

100 mailboxes 

Exchange 

2007/2003/ 

2000 

Exchange server 
and separate 
workstation, NAS, 
SAN, or server 

Disk, SAN, NAS, 
server, RAID, DVD, 
tape, and others 

DVD, tape, and 
WORM 

No 

Yes/Yes 

Saved and com¬ 
pressed 

Yes, optional 


EDITOR’S NOTE: Some vendors that you might expect to see in this Buyer’s Guide said they didn’t have a product that exactly matched the criteria or didn’t 
30 Windows IT Pro FEBRUARY 2008 


We’re in IT with You 


www.windowsitpro.com 








































Buyer’s Guide | Exchange Server Archiving Software 


Archive by 

PST Searches 

Searches Based on 

Compliance Features 


Management 




or Migration 




Tools? 




User- 

Defined 

Filters 

Pre- 

Defined 

Filters 


Archive 

Email 

Server 

Across Multiple 

Servers/ 

Information 

Stores 

Keyword 

(full-text) 

User/ 

Group 

Sender 

Attachment 

Type 

Customizable 

Rules 

Variable, 

Configurable 

Retention 

Periods 

Litigation 

Holds/ 

Multiple 

Holds 

Nonerasable/ 

Nonrewritable 

Storage 

Compliance- 
Specific 
Templates 
(e.g., SOX, 
HIPAA) 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes/Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes/Yes 

Yes 

No 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes/Yes 

Yes 

Yes 

Yes 

No 

Yes 

Yes 

No 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes, for 
subject, 
keywords, 
sender, and 
recipient 

No/No 

No 

No 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes/Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes/Yes 

Yes, but 
optional 

No 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes/Yes 

Yes 

Yes 

Users can 

archive 
email by 
clicking a 
button in 

the Outlook 

interface 

Yes 

Migration tools 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes, for users 

Yes/Yes 

Yes 

No 

Through 

Outlook 

rules 

Yes 

Migration tools 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes, both 
time and 

event driven 

Yes/Yes 

Yes 

No 

Yes 

Yes 

Yes 

Yes 

No 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes/Yes 

Yes 

No 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes/Yes 

Yes (contin¬ 
gent on hard¬ 
ware setup) 

No 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes/No 

Yes 

No 

Yes 

Yes 

Yes 

Yes 

No 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes/Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes/Yes 

Yes 

Yes 

No 

No 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes/Yes 

Yes 

Yes 
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, * • fjrocess is quick and straightforward. Just be 
V| I sure to install the PowerShell edition specific to 
}^our OS. Microsoft provides editions for Server 
tfi 2008 beta 3, Windows Vista, Windows XP SP2, 
pIIT .and Windows Server 2003. For this article, Fm 
‘ running PowerShell on XP. 

. \ ^ After PowerShell is installed, you can use it 
immediately. To run PowerShell, select All Pro- 
[ ^ ^grams under the Start menu, choose Windows 
PowerShell 1.0, and click Windows Power- 
Shell. When the PowerShell window appears, 
the command prompt displays the current 
working folder (C, on my system). You're now 
ready to ^tal^ writing and executing PowerShell 
commands. 


f AVorking with Cmdlets 

PowerShell supports its own scripting lan- 
. ^ guage, which is based on the .NET Framework. 
The most basic command in that language 
is the cmdlet (pronounced command-let). 
A cmdlet is similar to a function in that it 
performs a specific task, such as retrieving a 
folder's contents or updating a registry entry. 

PowerShell includes more than 100 built-in 
cmdlets. You can create additional cmdlets, 
but you must create them in a .NET language, 
such as Visual Basic .NET or C#. (The Power- 
Shell 101 series will discuss only the built-in 
cmdlets.) Each cmdlet is in the form verb-noun 
because Microsoft wanted to use a consistent 
naming scheme to make PowerShell easy 
to learn and expand. The verb specifies the 
action to be taken. The noun indicates the 
type of object involved. F r example, the Get- 


PowerShell 

Empowerment 

BY ANNE GRUBB 



IT pro Alex K. Angelopoulos 
thinks Windows’ interactive shell 
is just what you need to solve 
systems management 
problems on the fly 

lex K. Angelopoulos has a passion for scripting. In 
his work as a consultant and a network administra¬ 
tor over the past 10 years, Alex has written hundreds 
of scripts to automate all kinds of administration tasks. And as a regular contributor to Scripting 
Pro VIP (www.scriptingprovip.com) and the former Windows Scripting Solutions newsletter, 
Alex has helped raise Windows IT pros' awareness of scripting's benefits and improve their 
scripting skills for nearly that long. In a recent conversation, Alex shared his thoughts with me 
about the usefulness of Windows PowerShell as a quick task-automating tool and how the shell 
makes it much easier for Windows administrators to fashion their own time- and work-saving 
solutions than using older batch-file, cmd.exe-based scripting methods. 



Q: What got you started writing scripts? 

A: I started scripting in 1992, on UNIX. On Windows, what really got me started was a long- 
neglected LAN that I helped administer 1997 through 1999. Although there was no "magic bul¬ 
let" solution to our problems, we were able to dramatically reduce the workload using automa¬ 
tion. That experience also shaped my view of the scripting environment. 

One thing that I didn't fully realize until later was the importance of teamwork. Another 
important lesson was that standardizing systems and lifecycle management dramatically 
reduces the need for custom solutions. Finally, I learned that there's never a magic solution- 
in-a-box. The right tools can help immensely, but when dealing with specific real-life prob¬ 
lems, the best guarantee of a solution is having a lot of possible partial solutions that can be 
assembled. 


Q: What sparked your interest in Windows PowerShell? 

A: I started using PowerShell the first day the beta was available for download; I had already 
been sold on the idea. PowerShell is fundamentally a shell and was explicitly designed from the 
ground up by people with centuries of combined experience using bash, csh, Perl, VMS DCL, 
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and other shells and scripting languages. 

WeVe never had a comparable shell on Windows. The cmd.exe shell more or less "hap¬ 
pened" and developers cleaning it up subsequently were always limited by compatibility 
requirements and the available Windows infrastructure. 

Q: What aspects of PowerShell make it especially 
useful for Windows administrators? 

A: In the short run, the fact that it's a shell, letting you work interactively and in 15-second snip¬ 
pets of time, is crucial. So is the fact that it's designed to glue things together readily; most real- 
world administrative problems are solved by solution accretion rather than solution design. 
Once you know the basics, batch processing and gluing tasks are extremely easy. 

Over the long run, the critical factor in PowerShell's utility is its use of administrative-shell 
principles that people spent years figuring out on UNIX/Linux, VMS, and Windows; those are 
enduring values. PowerShell works with your instincts rather than against them. 

Q: Talk about a useful PowerShell script you’ve 
written—from the point of view of how well it solves a 
business or technical problem. 

A: Actually, I've found that the main advantage of PowerShell has been not having to write scripts. 
You can do improvisational work rapidly. Unlike my Windows Script Host (WSH) scripts, most of 
the lengthy PowerShell scripts I write are specific to complex problems particular organizations 
have. The daily tasks are a different story; most of those just happen and never become scripts. 

Let me use an example where I pick on VBScript, my preferred scripting language. I'm 
sitting at a computer on a network and need to find out the OS version on a computer named 
Weeble that I see on the LAN. I know I can use the Windows Management Instrumentation 
(WMI) Win32_OperatingSystem class to find out details, and theoretically I could write a script 
in VBScript to return the information, but I also need to know the property in that class. I can 
enumerate the property names in VBScript as well, but doing so takes even more time. In any 
case, once I write the script. I'd be unlikely to ever use it again. Tasks like this don't play to 
VBScript's strengths. But in PowerShell, I'd just run this command: 

gwmi Win32_0peratingSystem -Computer WeebLe 


which displays basic information about the remote OS. 

Q: What would you tell Windows administrators to 
encourage them to dive in to PowerShell? 

A: Using PowerShell is the only way to get to understand it. Administrators don't sit down and 
say, "I'm going to learn how to use a new scriptable shell today." Admins keep networks and 
software running. When they run into problems that don't have affordable off-the-shelf solu¬ 
tions, they start looking at gluing together their own solutions. Over the next couple of years, 
we'll see people becoming more familiar with PowerShell. Another thing to remember is that 
PowerShell won't displace current tools; it's quite happy to run cmd.exe and WSH tools that 
are already out there. The way PowerShell wins is by being a better glue, not by making you 
rebuild everything you've developed over the last decade. 

InstantDoc ID 97307 


Anne Grubb 

(agrubb@windowsitpro.com) is Web site strategic editor for Windows IT Pro and SQL Server Magazine. 

Read an expanded version of this article at www.windowsitpro.com, InstantDoc ID 97307. 


Childitem cmdlet retrieves a list of items in the 
current working directory or container, such 
as the registry. To run the cmdlet, type it at the 
PowerShell command prompt and press Enter. 
The results are displayed beneath the com¬ 
mand prompt. That's all there is to running a 
basic command. 

There will probably be times when you 
don't know whether there's a cmdlet for the 
task you need to accomplish or when you can't 
remember a cmdlet's name. You can view a 
list of all cmdlets by using the Get-Command 
cmdlet. Figure I shows part of this list, which 
includes the cmdlets' names and syntax, but 
not a description of what the cmdlet does. To 
get that information, you can use the Get-Help 
cmdlet. 

Getting Hdp with Cmdlets 

PowerShell includes a set of Help files that 
you can access directly from the Power- 
Shell command window with the Get-Help 
cmdlet. To retrieve Help information about 
a specific cmdlet, you use Get-Help with 
its -name parameter followed by the name 
of the cmdlet you want to learn about. Like 
parameters in cmd.exe commands, param¬ 
eters in PowerShell cmdlets provide infor¬ 
mation that the cmdlets need to do their job. 
Unlike parameters in cmd.exe commands 
(which might start with a hyphen, a slash, or 
no symbol at all), parameters in PowerShell 
cmdlets always begin with a hyphen, which 
is another example of PowerShell's consistent 
naming scheme. 

Now let's take a look at an example to dem¬ 
onstrate how this works. A common system 
administrator's task is to read text files. After 
looking at the list of cmdlets that Get-Com¬ 
mand provided, you think the Get-Content 
cmdlet might do the trick but you aren't sure. 
To retrieve Help information about Get-Con¬ 
tent, run the command 

Get-HeLp -name Get-Content 

As Figure 2 shows, this command returns a 
description of the cmdlet and syntax informa¬ 
tion. The command returns the content of an 
item, which in this case refers to any type of file 
in a system. In the past, you might have used 
the For command for batch files or the File- 
SystemObject object in a Windows Script Host 
(WSH) script, but in PowerShell, you simply 
use the Get-Content cmdlet. You can retrieve 
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more detailed information about the syntax by 
adding the -full parameter to the command 

Get-HeLp -name Get-Content -fuLL 

Notice that the -full parameter doesn't take a 
corresponding value. This type of parameter is 
called a switch parameter because it switches 
the behavior of the cmdlet. 

Figure 3 shows some of the information 
returned by this command. (On your com¬ 
puter, you'll need to scroll or resize your 
window as necessary to view the entire con¬ 
tents.) The PARAMETERS section provides the 
information you need to include parameters in 
your command. Two important categories of 
information for each parameter are Required 
and Position. 

The Required category tells you whether 
the parameter is mandatory or optional. When 
Required is set to true, you must include the 
parameter. When Required is set to false, the 
parameter is optional. 

The Position category tells you whether a 
parameter must be named or whether it can be 
referenced by its position. When Position is set 
to named, you must include the parameter's 
name when referencing that parameter. When 
Position is set to a number, you can reference 
the parameter by its name or you can simply 
provide the parameter's value in its correct 
position. 

Eor example, as you can see in Figure 3, the 
-path parameter is required for Get-Content. 
However, you can include that parameter 
value in the first position without including the 
parameter name, as in 

Get-Content c:\sampLe.txt 

If a parameter value contains spaces, you must 
enclose the value in quotes. 

In the PARAMETERS section, each param¬ 
eter name is followed by information in angle 
brackets (< >). This information specifies the 
type of data that the parameter value must be. 
As Figure 3 shows, the -path parameter value 
must be a string. If a set of brackets ([ ]) follow 
the word string, then a string array is permitted 
as the parameter value. 

In the case of switch parameters, which 
don't take values, the data type will read 
<SwitchParameter>. For example, Get-Con¬ 
tent's -force parameter is defined with this data 
type. This parameter overrides restrictions that 
might prevent the command from succeeding. 


The override occurs only when you include the 
parameter in your command. 

One other feature to note about parameters 
is that PowerShell includes a parameter-name 
completion feature. You need to include only 
enough of the parameter name to distinguish 
it from other parameters. For example, the 
command 

Get-Content c:\sampLe.txt -force 


As you can see, the file provides an overview 
of how to implement flow control in a Power- 
Shell script. 

Using Aliases 

Some of the cmdlet names can be quite ver¬ 
bose, an annoying characteristic if you have to 
continuously retype commands. Fortunately, 
PowerShell supports the use of aliases for 
referencing cmdlets. An alias is an alternate 


is the same as 

Get-Content c:\sampLe.txt -fo 

Besides providing the 
parameter information that 
you need to build commands, 
the Help file for Get-Content 
includes examples of how to 
use the cmdlet, helpful tips 
in the Notes section, and 
resources where you find addi¬ 
tional information. The best 
part is that Help files are avail¬ 
able for all the cmdlets—there 
are even Help files that discuss 
general concepts. 


Getting 
Hdp with 
Concepts 

PowerShell includes a set of 
Help files that provide over¬ 
views of various concepts. 
Each file begins with "about_" 
and ends with the name of the 
topic. To view an alphabetical 
list of the about topics, run the 
command 

Get-HeLp about* 

To view information about 
a specific topic, you simply 
include the topic's full name 
as a parameter value. For 
example, to retrieve the file 
about flow control, run the 
command 

Get-HeLp about_fLow_controL 

Figure 4, page_^ shows part 
of the results you can expect. 
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Figure 1: 

Retrieving a list of cmdlets 
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Retrieving Help information about Get-Content 


Retrieving the full version of the Help file for 
Get-Content 
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Some things are better left untouched. 

Before you start that big transition 
to VoIP, hold the phone. It nnay not 
be the grand reconstruction project 
they've been talking about. Sinnply 
stated, it isn't about ripping and 
replacing or big, upfront costs. That's 
because it isn't about hardware. 

It's actually about software. 

Now you can keep your hardware— 
your PBX, your gateways, even your 
phones. Move to VoIP with software. 
Software that integrates with Active 
Directory^ Microsoft®Office, Microsoft 
Exchange Server, and your PBX. 

Maxinnize your current PBX 
investment and make it part of your 
new software-based VoIP solution 
from Microsoft. It's big change, 
without changing it all. Learn more at 
microsoft.com/voip 



Your potential. Our passion.^ 

Microsoft 
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Figure 4: Retrieving Help information about flow control 
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Figure 5: Retrieving the aliases for Get-Childitem 


name that's usually much shorter than the 
actual cmdlet name. PowerShell includes a 
number of built-in aliases, and you can create 
your own aliases. 

To view the aliases available to your cur¬ 
rent session, run the Get-Alias cmdlet. Current 
session refers to your current connection to 
PowerShell. When you start PowerShell, you 
start a new session; that session persists until 
you close PowerShell, which ends your con¬ 
nection. In addition to displaying all built-in 
aliases and their associated cmdlets, Get-Alias 
displays any aliases you created in the current 
session and aliases defined in profiles, which 
are user-defined configuration settings loaded 
into PowerShell whenever it starts. (Profiles 
will be discussed in a later lesson.) 

If you want to view the aliases available for 
a specific cmdlet, you must qualify the Get- 
Alias cmdlet. For example, to view the aliases 
available to the Get-Childltem cmdlet, run the 
command 

Get-ALias | 

Where-Object {$_.definition 
-match "Get-ChiLdltem”} 

This command incorporates several elements 
that ril explain in detail in subsequent lessons. 
For now, all you need to know is that the results 
of the Get-Alias cmdlet are sent to a Where-Ob- 
ject cmdlet that filters out any results that don't 
match Get-Childitem. If you want to check for 
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aliases for a different cmdlet, 
replace Get-Childltem with 
the cmdlet name. 

As you can see in Figure 
5, PowerShell includes three 
aliases that reference Get- 
Childltem: gci. Is, and dir. 
You can use any of these 
aliases in place of the cmdlet 
name. All four of the fol¬ 
lowing commands list the 
contents of the C:\Windows 
folder: 

Get-ChiLdltem c:\windows 
dir c:\windows 
Ls c:\windows 
gci c:\windows 

To create an alias within 
the current session, use the 
Set-Alias cmdlet. For instance, 
to create an alias named cnt 
that references Get-Content, run the com¬ 
mand 

Set-ALias cnt Get-Content 

You can then use cnt wherever you would 
use Get-Content. The alias is available until 
you end your session (i.e., close PowerShell). 
Note that you can't include parameters when 
defining an alias, only the cmdlet name itself. 
If you want to define a reference to a cmdlet 
and its parameters, you should create a func¬ 
tion. You'll learn how to create a function in a 
later lesson. 

Moving Forward 

In this lesson, 1 introduced you to the fun¬ 
damental components necessary to begin 
exploring and using PowerShell commands, 
which consist of one or more cmdlets. In 
upcoming lessons, you'll learn more about 
how to use these cmdlets and how to create 
scripts that enable you to leverage Power- 
Shell's full capabilities. In the meantime, 
begin working with cmdlets. Use Power- 
Shell's Help file to create commands and 
learn about specific concepts. Try out the 
different parameters and learn how to create 
and use aliases. In no time at all, you'll be 
ready to incorporate PowerShell into your 
daily routines. 
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Feature 




I n recent months, iVe worked with several clients on projects 
designed to improve the management of user data and settings 
(UDS). Insufficiently or incorrectly managed UDS can have a 
significant negative effect on your IT department's service deliv¬ 
ery. By putting the right pieces in place, you can reduce costs, 
increase security, enable mobility, improve productivity, and 
ensure business continuity. 

Windows provides most of the pieces: redirected folders, roaming 
profiles, quotas, file screens, DFS namespaces, encryption, and offline 
files. All you need to do is add the right people, processes, and support¬ 
ing scripts and tools. By putting all these pieces together in just the right 
way, you can create a framework for effectively managing UDS. But it's not easy—there are many 
moving parts. And although there's a slew of documentation about profiles and redirected folders, 
very litde of it deals with the crazy interactions between all these technologies and the various 
types of data that you need to manage in your enterprise. 

In this two-part series. I'll offer some design guidance to help you create a UDS management 
framework. I'll also help you unify UDS management for both Windows Vista and Windows XP 
users. For some good foundational reading before diving into these best practices, 1 recommend 
that you read chapter 3 of the Windows Administration Resource Kit (see the Learning Path, page 
42). The chapter goes into far more detail than 1 have space for here. The resource kit also contains 
great tools and scripts to help you implement a UDS management framework. (Although the book 
is part of the Windows Server 2008 Resource Kit, the content also applies to Windows Server 2003 
and to Vista and XP clients.) 

In this first part of the series, let's dive into some best practices for the server side of the equa¬ 
tion. I'll look at the physical namespace (i.e., folders and permissions), the SMB namespace (i.e., 
shares), and the DFS namespace that will give you the most effective back end for UDS manage¬ 
ment. In Part 2, I'll look at the client-side components. 
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Identify Your Business 
Requirements 

First; let's get some definitions out of the way. 
User data refers to files created by and neces¬ 
sary for an individual user—items in a user's 
Documents folder (My Documents in XP) or 
on their desktop. Settings refers to everything 
from a user's Microsoft Outlook configuration, 
custom dictionary, quick launch shortcuts, 
templates, and desktop wallpaper to his or her 
Microsoft Internet Explorer (IE) Eavorites. Win¬ 
dows has a number of data and settings stores 
for UDS, including My Documents, Desktop, 
Eavorites, AppData, and the ntuser.dat registry 
file. These data stores can reside physically on 
the local system, on a network server, or both. 
Eor laptop users, in fact, data stores are in both 
local and network locations, with technologies 
including offline files and roaming profiles 
keeping the two locations in sync. 

Before you begin designing a UDS manage¬ 
ment framework, spend some time identifying 
the business requirements that drive such a 
project. 1 suggest that they'll fall into the fol¬ 
lowing categories: 

• Security—You must ensure that the data 
your users create is secure. 

• Mobility—Users should have access to 
their data and settings not only from their 
desktop PC or personal laptop but also from 
conference rooms and other computers. 

• Availability—When a user gets a new or 
replacement system, his or her data and set¬ 
tings should be fully available at first logon. 

• Resiliency—If a user's hard disk fails or is 
stolen, his or her business data and settings 
shouldn't be permanently lost. 


Preview the Best Practice 
Design for a UDS 
Framework 

After identifying your strategic requirements, 
you can begin to design a framework that 
tackles UDS according to those requirements. 
Here's a quick overview of what your UDS 
framework will comprise. 

Redirected folders. Redirected folders 
ensure that critical stores of user data are 
located on file servers. Users on Windows cli¬ 
ents will continue to access their data in their 
Documents folder, on their desktop, in their 
Eavorites folder, and in media folders such as 
Music, Pictures, and Videos. The functionality 
of redirected folders makes it transparent to 
users that the physical data stores for those 
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Figure 1: 


folders are on the network. 

Offline files. Laptop users will 
leverage offline files so that their 
data is available when they're dis¬ 
connected from the network. The 
offline files cache will be secured 
with encryption to reduce the risk of 
data leakage when a laptop is lost or 
stolen. 

Roaming profiles. You'll use 
roaming profiles to meet the mobil¬ 
ity, availability, and resiliency 
requirements for users' registry 
hives—the ntuser.dat file in the root 
of their profiles. You'll also include the App¬ 
Data folder in the roaming profile. Eor reasons 
I'll detail in Part 2, although it's technically pos¬ 
sible to redirect AppData, in most scenarios it's 
likely that redirection will be a future-state, and 
until then AppData will be managed as part of 
the roaming profile. Chances are the registry 
file and AppData folder are the only two items 
you'll use roaming profiles to manage. Users' 
profiles will be very small indeed, and for that 
reason, roaming profiles will effectively sup¬ 
port those two settings stores. 

DFS namespaces. DPS namespaces will 
abstract the physical location of user data 
stores so that users' data can be managed eas¬ 
ily and moved with minimal impact. 

Unmanaged data. Classes of data that 
shouldn't be stored on network servers (e.g., 
users' personal music collections) will be 
excluded from both redirected folders and 
roaming profiles so that they remain on the 
users' local hard disk. 

Quotas and file screens. You can optionally 
implement quotas and file screens on server 
data stores to manage the quantity and types 
of data stored there. 


Create the Physical 
Namespace of Folders for 
UDS Stores 

To support your security, mobility, availability, 
and resiliency business requirements, the 
redirected folders and roaming profiles have 
to go somewhere. The data will end up on a 
network server. That server must have a folder 
structure that supports UDS manageability. 1 
recommend the folder structure that Pigure 1 
shows for each user on the server. Some of the 
structure's features might surprise you. 

Notice that the structure doesn't use a 
flat namespace. Instead, all the typical user 
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data stores—including 
Desktop and Docu¬ 
ments—are contained 
within a parent folder 
called Data. You'll use 
this Data folder when 
you decide to imple¬ 
ment quotas for user 
data storage. A user's 
quota should be uni¬ 
versal: It should apply 
to data whether it's 
stored in the Docu¬ 
ments, Desktop, or 
media folders. To apply a quota to user data 
stores effectively, those stores must reside under 
one parent folder. However, you can't use the 
user's top-level folder (e.g., \jfine) for that quota, 
because there are other stores—the Backups 
and Profiles folders—that shouldn't be subject 
to the same quota. 

Having the Data folder gives you a man¬ 
agement scope —a container that represents 
all day-to-day user data stores. You can use 
this folder to apply a quota for the user's data. 
You can also use it to scope file screens that 
prevent certain types of data from being stored 
on the network. The concepts of quotas and 
file screens are familiar, and Windows makes 
them easy to implement and manage in Server 
2008 and Windows 2003 R2. Check out the Pile 
Server Resource Manager (PSRM) Help docu¬ 
mentation for details. 

Pigure 1 also shows two profile folders: 
\Profile and \ProfileV2. Vista appends a V2 
extension to the folder hosting the user's roam¬ 
ing profile. So, if you configure a user's profile 
path as \\namespace\%usemame%\pTLoGie, the 
roaming profile for a user will be in the Profile 
folder if the user logs on to an XP system, and in 
the Profile V2 folder if the user logs on to a Vista 
system—automatically. Because of significant 
differences in registry and AppData structure, 
there's no way to unify those two settings stores 
for Vista and XP users. They'll be separate. That's 
another good reason for ensuring that roaming 
profiles manage only those two stores. 

The profile folders are first-level folders, not 
subject to the quota that is implemented on 
the Data folder. Profiles shouldn't be subject 
to quotas because if the system encounters a 
quota limit during synchronization, the profile 
can become corrupted. In Part 2, you'll see that 
in the UDS framework, profiles will contain 
only AppData and the ntuser.dat registry file, 
so you'll eliminate profile bloat, manage profile 
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size, and improve synchronization. Profiles 
simply won't grow too large, so you'll be better 
served by having profiles "quota free." 

The Backups folder solves a business-data- 
management scenario that Windows doesn't 
address with redirected folders and roaming 
profiles. (You'll see how useful it is in Part 2.) You 
can also use this folder to archive user-specific 
data (e.g., old .pst files) that isn't needed regu¬ 
larly and therefore doesn't need to be available 
offline for laptop users. You'll manage which 
data goes in Backups and how it gets there with 
mechanisms other than roaming profiles and 
redirected folders. Backups isn't a subfolder of 
the Data folder, so it can be configured with a 
quota that's separate from the quota applied to 
normal day-to-day data stores. 

Above these folders is a single parent folder 
for the user, and above the user folders is a single 
parent for all users on the server. In Figure 1, 
the top-level folder is called Users. Of course, 
all these folders must be secured according 
to your organization's information security 
policy. On the Users folder, assign the permis¬ 
sion System::Allow::Full Control, along with 
permissions that enable appropriate adminis¬ 
trative and support access to user data stores. 
For example, you can grant a security auditing 
team Read permission for the user data stores, 
and you can give the Help desk permission only 
to the top-level user folders, but not to subfold¬ 
ers. The resource kit offers further information, 
as well as tools to help you secure the user data 
folder structure on the server. 

One exciting byproduct of 
setting everything up correctly is 
that you won't need to provide 
any permissions to normal users 
at the root Users folder. As long 
as each user has Full Control 
of his or her individual \%user- 
name% folder, no permissions 
at the Users folder level are nec¬ 
essary. The default user right to 
traverse folders will let the user 
"jump through" (without access¬ 
ing) the Users folder, straight 
to his or her folder. Therefore, 
users have no permission to look 
in, browse through, or even see 
other users' folders. Now thafs 
least-privilege security! 

There's a catch: You must 
provision the folder tree for each 
user before applying redirected 
folders and roaming profiles. 

WWW. windowsitpro.com 


That is, you must pre-create the folder struc¬ 
ture that Figure 1 shows. Again, the resource 
kit can help you automate the provisioning 
of user data stores; it even provides a series 
of folder-provisioning script samples. You can 
also obtain the scripts from www.intelliem 
.com/resourcekit. 


Create the SMB 
Namespace of Shared 
Folders for UDS Stores 

SMB namespace is a fancy term for discussing 
the standard, server-based Universal Naming 
Convention (UNC) paths to the UDS stores. 
You're certainly familiar with paths such as \\ 
servername\users$\%username%. Such UNCs 
are navigating to a folder through an SMB 
namespace. 

The correct SMB namespace for a UDS 
framework requires that the top-level folder. 
Users, be shared twice. The first share will be 
used in paths to user data stores. Most organiza¬ 
tions share the top-level folder with a hidden 
share name such as Users$. SMB paths to users' 
documents folders, for example, would be \\ 
server\users$\%usemame%\data\documents. 

On the Users$ share, be sure to assign the 
Full Control share permission to the group of 
users who have data stores on the server. The 
NTFS permissions on the root Users folder and 
on each user's root folder will control effective 
access. Remember that users actually don't 
have NTFS permissions on the Users folder. 
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Figure 2: Disabling caching on the Profiles$ share 


so the Everyone::Allow::Full Control share 
permission is fine for the Users$ share. 

You must also share the Users folder a 
second time for paths that point to the user's 
roaming profile. 1 recommend a name such as 
Profiles$. Again, assign the Full Control share 
permission to the group of users on the server 
or to the Everyone group. The reason that the 
Users folder must be shared a second time is 
that you must disable caching on SMB paths 
to user profiles. It's a long story that has to do 
with a potential conflict between Windows 
Offline Files and roaming profiles. Caching is 
enabled by default and should be left on for 
the Users$ share to support laptop users in the 
UDS framework. But you must disable caching 
on the Profiles$ share, as you see in Figure 2. 
Users—including laptop users—will still get a 
synchronized copy of their user profile on their 
local systems by using profile synchronization, 
which is a separate mechanism from the cach¬ 
ing of Windows' Offline Files feature. 


Use DFS Namespaces to 
Abstract and Present Each 
User's Data Stores 

The final piece of infrastructure is DFS 
namespaces—a very important component. 
If you've ever moved a user's data from one 
server to another, you know that you have to 
change a lot. You have to change the user's 
roaming profile path and the GPO and reg¬ 
istry folder redirection settings. That's easy 
enough, but think about all the links within 
and between documents. For example, 
think about all the Microsoft Excel work¬ 
sheets with linked formulas pointing to 
\\server01\users$\dholme\Documents\ 
Einance\exce^/e.xls that must be changed 
to \\server02\users$\dholme\Docu- 
ments\Finance\excelfile.x[s. That "path 
migration" is a great deal of work, and 
most organizations aren't equipped to 
thoroughly migrate user data paths, par¬ 
ticularly for inter-document links. So they 
don't, and productivity is lost. 

DFS namespaces, like the other com¬ 
ponents 1 discuss in this article, require 
thoughtful design, but 1 can recommend 
the design that Figure 3, page 42, shows as 
a best practice. Figure 3 represents what 1 
call a fully enumerated DFS namespace, 
in which each UDS store is presented 
in the DFS namespace. A user is given a 
first-level folder within a domain-based 
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DFS namespace (e.g., \\contoso.com\Users). 
Below that folder is a single level of subfold¬ 
ers—one for each data and settings store. 
So, the paths used for roaming profiles and 
redirected folders are simple: \\namespace\ 
usevs\username\foldername (e.g., Wcontoso 
.com\users\dholme\desktop and Wcontoso 
.com\users\dholme\profile). The namespace 
abstracts the fact that several data stores are 
actually subfolders of a parent Data folder on 
the server. So, the Data folder on the server can 
manage quotas in the physical namespace on 
the server without adding complexity to the 
namespace used for administering UDS. 

Each folder in the user's DFS namespace 
targets the appropriate folder on the server. 
The data folders use the \\servemame\\Jsers$\ 
memame\Data\foldername path as the target, 
through the Users$ share that allows caching. 
The profile folders use the \\servemame\Pro- 
G[es$\username\ProG[e and \ProfileV2 paths as 
targets, through the Profiles$ share that disables 
ofQine files, because roaming profiles have a 
separate mechanism for synchronization. 


Understand Why a 
Fully Enumerated DFS 
Namespace Is a Best 
Practice 

Proposing individual DFS namespace fold¬ 
ers for each user data store might seem 
extreme. Many organizations have a simpler 
DFS namespace, such as the one that Fig¬ 
ure 4 shows. Such a DFS namespace can 
serve a small organization well. Paths to user 
data stores take the form \\domam\users\ 
data\%usemame%\data\foldername (e.g., \\ 
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□ Namespaces 

B Wcontoso.com\Users 


contoso.com\users\data\jfine\ 
data\documents). The appear¬ 
ance of \data twice isn't a typo. 

The first \data folder is in the 
DFS namespace, which targets 
the Users$ share in the server's 
SMB namespace. The %user- 
name% folder and the second 
\data folder are in the physi¬ 
cal namespace on that server, 
within the Users$ share. 

But even in a small organiza¬ 
tion, there's a big problem: This 
namespace is inflexible. The 
DFS namespace (e.g., Wcontoso 
.com\users\data) targets a fixed 
SMB namespace (e.g., Wserver01\ 
users$). If some users' data stores 
are moved to another SMB 
namespace (e.g., Wserver02\ 
users$), you'll be stuck rebuild¬ 
ing the DFS namespace. Even worse, you'll have 
to do the involved "path migration" for roaming 
profiles, redirected folders, and all inter-docu¬ 
ment links. Also, any laptop users would have 
to have their offline files cache manipulated to 
avoid a total resynchronization. 

You might consider using Figure 3's 
namespace down to the user level and avoid¬ 
ing the subfolders for individual data stores. 
You can get away with that configuration 
for now, but you're building in a hard-wired 
dependency on the physical namespace— 
Desktop, Documents, and the media folders 
are all in the Data folder. If you ever need to 
change your management on the back end, 
you'll be stuck again. I'm expecting that, 
someday, we'll be able to redirect the Docu¬ 
ments store to a SharePoint My Site. That's 
"pie in the sky" thinking right now, but by 
abstracting the location of Documents, I'm 
hoping to make the migration of individual 
data stores to other servers or even other tech¬ 
nologies a bit smoother down the road. It's 
easy enough to provision the DFS namespace 
for a user with the aforementioned scripts, so 
why not build the most flexible and forward- 
looking namespace for manageability? 

These considerations, plus concerns related 
to the interactions of other components of the 
UDS framework, make a fully enumerated 
DFS namespace a best practice. Further details 
are too much to cover in the space 1 have 
here, so be sure to check out the resource kit, 
which discusses the pros and cons of other DFS 
namespace structures. 


You might be 
aware that a DFS 
namespace in Win¬ 
dows 2003 can have 
only 5000 links. If 
each user has more 
than half a dozen 
folders in the DFS 
namespace, you'll 
be able to support 
several hundred 
users in a single 
namespace. See 
the resource kit for 
best-practice designs 
for more users in 
Windows 2003 
environments: You 
can work around 
the limitation with 
additional domain 
DFS namespaces that won't require addi¬ 
tional DFS namespace servers. Server 2008 
DFS namespaces remove the limit. Ideally, you 
should provision the DFS namespace for users 
when you provision the physical folders. 

Only the Beginning 

This article's best practices should help you 
manage the back end of an effective UDS 
framework. By separating the physical and 
SMB namespaces that manage the configura¬ 
tion and security of UDS data stores from the 
presentation of those data stores in a logically 
organized DFS namespace, you'll be well pre¬ 
pared to implement the client side. In Part 2, 
I'll address roaming profiles, redirected folders, 
and critical workarounds necessary to solve 
several business-data scenarios that Micro¬ 
soft's native technologies don't support. 

As 1 mentioned earlier, an effective UDS 
management framework can be quite compli¬ 
cated—not because of the complexity of the 
involved technologies but because you must 
align many individual and sometimes conflict¬ 
ing technologies in a way that supports both 
your business requirements and the unique 
characteristics of your users' data. 
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Reliability — Catch phrase or reality? 



Hot backups. Business continuity. Continuous data protection. 

These and other buzzwords have been generated by the technology industry to get your attention. 
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waiting for failed machines to recover. 

Introducing Continuous Image Protection (CIP). UltraBac Software is so excited about our new 
technology that aids in this goal, we’re announcing CIP before its planned release. CIP is a form of 
continuous data protection (CDP) with a new innovation: it automatically backs up each sector on 
a disk as it is changed, unlike standard image backups which run only on a periodic basis. With CIP, 
your image backup never stops - so a system can be brought back to a point-in-time, rather than 
restoring a static image that could be up to 23 hours old. 

UltraBac Software’s sole mission is data protection. So when we advertize product reliability, 
innovative features and functions, and top-notch support {hey are not simply catch phrases we use, 
but rather our commitment to you and your business. 

UltraBac - Innovative software from a reliable company. 
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Feature 



BY DARREN MAR-ELIA 

hether you're faced with configuring 10 Windows servers and desktops or 
10,000, you know that Group Policy offers valuable assistance to ensure 
you complete the task in time for you to head home and have a life. But 
you've probably also heard the horror stories of Group Policy's com¬ 
plexity, where a sys admin made changes without understanding their 
consequences and paid the price in making life more difficult instead of 
easier. For example, ever look to modify the "Logon Locally" user right 
on a Group Policy Object (GPO) to remove unnecessary groups, only to 
discover that you did it on a GPO that applies to everyone in the domain, and now no one can log 
on? 1 can teU you that that has happened more than once. 

Problems such as these are common. But you can ensure that Group Policy lives up to its 
potential—just by making sure you nail down a few essential concepts: how GPOs are processed, 
how permissions and filtering work, the difference between policies and preferences, and howto 
use some basic troubleshooting steps. 

Understanding Group Policy Processing 

How the client processes GPOs is fundamental to ensuring that everything goes according to plan. 
Let's start by realizing that, despite the fact that the feature is named Group Policy, policies are pro¬ 
cessed only by computers and users. So, when you link a Group Policy Object (GPO) to an Active 
Directory (AD) object, the computer portion of that GPO is read only by computer objects in AD 
and the user portion is read only by user objects. You can use security groups to filter which users 
and computers are subject to a given GPO, but you can't target GPOs at specific security groups. 
Confused? Just think of it this way: Whenever you link a GPO to an object, domain, or organiza- 
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tional unit (OU) in AD, make sure that the user 
or computer that you want the GPO to apply to 
is beneath the linked container within the AD 
tree. If it isn't, then the user or computer won't 
see the GPO and can't process it. 

The process of linking a GPO is different 
from the process of creating it. When you cre¬ 
ated a GPO from the Microsoft Management 
Console Active Directory Users and Comput¬ 
ers snap-in in Windows 2000, you linked the 
GPO to the AD container you were focused on 
in the same step. The ability to create a GPO 
without linking it came with the advent of 
Group Policy Management Console (GPMC). 
With GPMC, you can create GPOs without 
linking them, and then link them later. 

You can also re-use a GPO by linking it to 
multiple AD containers—for example, you 
might link one desktop lockdown GPO to four 
or five OUs. A big benefit of linking a GPO to 
multiple containers is that any change you 
later make to that GPO will affect the users 
and computers in all the linked OUs. How¬ 
ever, because you can link GPOs to multiple 
containers in AD, a given user or computer 
might process multiple GPOs. To know which 
policy applies in that case, you need to know 
the answer to a couple of questions: How does 
Group Policy know which GPO to process first, 
and which settings ultimately apply if the dif¬ 
ferent GPOs have different settings? 

Group Policy processing follows a specific 
order. The local GPO on a given computer is 
processed first, followed by GPOs linked to 
AD sites, then GPOs linked to an AD domain, 
and finally those linked to OUs. Because OU- 
linked GPOs are processed last, they "win" 
the contest that determines which GPO's 
settings actually apply to the 
computer or user. For exam¬ 
ple, if a domain-linked GPO 
removes the Run option from 
the Windows Start menu and 
an OU-linked GPO adds the 
Run option back to the menu, 
the OU-linked GPO will apply 
because the user processes it 
second, and the Run option 
will appear in the user's Start 
menu. 

Group Policy uses both 
foreground and background 
processing. For a computer, 
foreground processing hap¬ 
pens when the computer ini¬ 
tially starts up, typically—but 


not always—before the user sees a logon dia¬ 
log. For a user, foreground processing occurs 
when the user logs on, typically—but again not 
always—before the user sees his or her desk¬ 
top. Background processing takes place peri¬ 
odically to refresh Group Policy. On domain 
controllers (DCs), background processing for 
computers and users occurs every five min¬ 
utes. On member servers and workstations, 
it occurs by default every 90 to 120 minutes. 
Although Group Policy is refreshed automati¬ 
cally during background processing, not all 
policy areas run during background process¬ 
ing. For example, neither software installation 
nor Folder Redirection policy runs in the back¬ 
ground. 

Group Policy Permissions 
and Filtering 

As 1 mentioned earlier, GPOs are processed 
only by users and computers, but they can be 
filtered by security groups that contain user 
or computer accounts. By default, when you 
create a GPO, the Authenticated Users group 
receives Read and Apply permissions to that 
GPO, which gives all users and all computers 
the ability to see, and thus to process, the GPO. 
But you might sometimes want only a subset 
of users or computers in a given OU to pro¬ 
cess a GPO. In that case, you can use security 
groups to filter the GPO. That process is easily 
done by using a must-have tool: Group Policy 
Management Console (GPMC), which ships 
with Windows Vista and can be downloaded 
by searching in System Tools at www.microsoft 
.com/downloads. 


As Figure 1 shows, you can modify the 
security filtering on a given GPO by simply 
adding and removing groups from the Security 
Filtering section in GPMC. 

Let's say, for example, that you have a GPO 
linked to the Marketing OU, which contains 200 
user accounts. You want to deliver some user 
policy settings to a subset of those users—the 
users who are also members of the Marketing 
Special Projects group. Using GPMC, this task 
is easy. Start GPMC by entering 

gpmc.msc 

in the Run dialog box on the Start menu. 
Under the Group Policy Objects node in the 
tree pane, select the GPO you want to filter. 
Remove the Authenticated Users group from 
the GPO because that group lets all users and 
computers process that policy. To do so, high¬ 
light that group in the Security Filtering dialog 
box and press the Remove button. Then add 
the Marketing Special Projects group to the 
security filtering list by clicking the Add button 
and entering or searching for the "Marketing 
Special Projects" group in your AD domain. 
GPMC takes care of granting the Read Group 
Policy and Apply Group Policy permissions 
on that GPO. 

Security filtering permissions control which 
computers andusers canprocess a GPO; there are 
also security permissions that control who can 
edit that GPO. You can see those security per¬ 
missions by highlighting a GPO in GPMC and 
selecting the Delegation tab, as in Figure 2. 

The Delegation tab is a bit confusing 
because it shows the security filtering per¬ 
missions from the previous Security Filtering 
dialog box, as well as the per¬ 
missions to edit or modify the 
GPO. In fact, you can grant 
both kinds of access here: 
granting permission to pro¬ 
cess a GPO here (as well as 
from Security Filtering) and 
also controlling who can edit 
a GPO. Furthermore, the 
Advanced button that you see 
at the bottom of the screen is 
the only place in GPMC where 
you can set Deny access to the 
GPO. Remember that secu¬ 
rity permissions can either 
allow or deny access—and 
both types of Access Control 
Entries (ACEs) are valid for 
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GPO permissions. However, by default, the 
GPMC interface lets you set only allow permis¬ 
sions. So, for example, if you need to deny Read 
Group Policy and Apply Group Policy permis¬ 
sions to a group of users or computers that you 
want to exclude from processing a GPO, you'd 
need to do that by clicking the Advanced but¬ 
ton, which brings up the familiar Access Con¬ 
trol List editor that you use to set permissions 
on files or in AD. 

The final type of filtering that you have 
access to in Vista, Windows Server 2003, and 
Windows XP is the Windows Management 
Instrumentation (WMl) filter. WMl is a set 
of instrumentation in Windows that you can 
leverage to filter GPO processing. For example, 
let's say you want a GPO to apply only to XP 
systems. Using GPMC, you can create a WMl 
filter by right-clicking the WMl Filters node in 
the tree pane and selecting New. A WMl filter 
must take the form of a WMl query. (For more 
information about WMl filters, see technet2 
.microsoft.com/WindowsServer/en/library/ 
dfbaldc6-6848-4ed8-96da-f4241clacfbdl033 
.mspx; for more information about WMl que- 

ries, see "Sesame Script: WMl Query Language," 
www.microsoft.com/technet/scriptcenter/ 
resources/begin/ssl206.mspx.) 

You can link just one WMl filter to a given 

GPO. If the query that's specified in the filter 
evaluates to True when the GPO is read, the 
GPO is applied. The evaluation of a WMl query 
takes place on the client computer that's pro¬ 
cessing the GPO. It interrogates its own local 
WMl repository to see if the query evaluates 
to true or false. If the query evaluates to False, 
the GPO is denied to the user or computer. 
Whether the WMl filter applies to a user or 
a computer depends upon the query. For 
example, if the query asks whether the com¬ 
puter is running XP, that's a computer-specific 
question, and if the computer is running XP, 
the GPO will apply whether the user is logged 
on or not. However, if the query asks whether 
"Joe Smith" is the currently logged on user on 
the computer, the GPO will apply only when 
Joe Smith is actually logged on. 


Policies vs. Preferences 

Perhaps the most popular area of Group Policy 
is Administrative Templates, or registry policy. 
This policy area lets you control many aspects 
of your Windows systems. The best part of 
registry policy is that it no longer "tattoos" or 
gets stuck in, the registry when the policy no 



longer applies, as it 
did in NT 4.0 system 
policy. What the end 
of tattooing means 
is this: Let's say you 
enable (or disable) a 
registry policy item 
in a GPO and apply 
it to a user or com¬ 
puter, then remove 
that GPO or security 
filter it away from 
the user or com¬ 
puter. During the 
next foreground or 
background pro¬ 
cessing cycle, that 
policy setting will 
automatically be 
removed, rather than being stuck in the registry 
until you explicitly delete. 

Behind the scenes, this removal process 
works this way because Microsoft has specifi¬ 
cally set aside four special registry keys where 
all policies are written, and they are removed 
when they no longer apply. There are two keys 
for computer registry policy: 

HKEY_LOCAL_MACHlNE\Software\Policies 

HKEY_LOCAL_MACHlNE\Software\ 

Microsoft\Windows\CurrentVersion\Policies 

and two for user registry policy: 

HKEY_CURRENT_USER\Software\Policies 

HKEY_CURRENT_USER\Software\Microsoft\ 

Windows\CurrentVersion\Policies 


associated with registry policy, but other policy 
areas exhibit this behavior as well. Eor exam¬ 
ple, security policy effectively tattoos a system 
when it's applied. That is, if you set user rights 
assignments on a given system, for example, 
(using the policy found in Computer Configu- 
ration\Windows Settings\Security Settings\ 
Local Policies\User rights assignment), and 
then you remove the GPO that applied those 
settings from where the computer was pro¬ 
cessing it, then those user rights assignments 
remain until you explicitly change them. This is 
important to understand because each policy 
area behaves a little differently with respect 
to their tattooing of your systems. In some 
cases, such as Polder Redirection or Software 
Installation policy, you have to tell the policy 
specifically what to do when the GPO no longer 
applies, as Pigure 3 shows. Understanding the 


As long as registry policy settings write to one 
of these four keys, they will not tattoo the reg¬ 
istry when the GPO is removed. Of course, to 
write policies to these four keys, the underlying 
applications or components in Windows had 
to be written to look in these keys for policy 
settings. However, you can still create custom 
ADM (or ADMX in Vista) template files that can 
write to any keys in the registry (under H1<EY_ 
L0CAL_MACH1NE or HKEY_CURRENT_ 
USER). Policies that do this are called prefer¬ 
ences and will indeed tattoo the registry, even 
if the GPO containing them is removed. So, 
if you need to undo a preference that was 
enabled, you would need to disable it in the 
Group Policy Editor (GPE) interface or manu¬ 
ally delete the registry value. 

Now this tattooing stuff is most commonly 
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tattooing nature of each policy area will help 
you know how to manage the application and 
removal policy better. 

Troubleshooting 
Group Policy 

Because Group Policy is complex, sometimes 
it doesn't work the way you expect. You might 
have inadvertently misconfigured something, 
or it might not work because something is sim¬ 
ply broken. Group Policy processing requires 
several elements to work in harmony. Your AD 
infrastructure must be healthy, your worksta¬ 
tions must be healthy, and the various settings 
that you configure must be compatible with 
the applications running on your desktops. 
When any of that is out of whack, you might 
see Group Policy processing failures. 

When failure happens, how do you find out 
what is amiss? The first step is to create a Resul¬ 
tant Set of Policy (RSoP) report on the problem 
computer. RSoP is gathered using the Group 
Policy Results Wizard within GPMC. You can 
also use the command-line utility gpresult.exe 
that comes with Vista, Windows 2003, and XP, 
to generate an RSoP report. The easiest thing 
to do is to run the Group Policy Results wizard 
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from GPMC. The wizard lets you pick a local 
or remote computer to connect to, then pick 
a user who has logged onto that computer. 
The wizard then connects to that remote com¬ 
puter and gathers information about Group 
Policy processing that occurred during the last 
processing cycle. The most useful part of that 
report is the Summary tab, which you can see 
in Figure 4. 

The summary tab shows you which GPOs 
were applied to the computer and user, and 
most importantly, which GPOs were denied 
and why. In the Component Status section, 
the report can give you information about 
whether any specific portions of Group Policy 
processing failed and why. The Group Policy 
Infrastructure item you see in that section tells 
you whether the basic setup of Group Policy 
processing succeeded. If this step fails, then it 
usually indicates some infrastructure problem 
that's preventing any Group Policy process¬ 
ing from occurring. If the error occurs in one 
of the so-called client-side extensions that 
implement the various policy areas, then you 
might be able to isolate the problem by using 
the error messages provided. If you want to 
see which individual policy settings are being 
delivered to the computer or user, then you can 


view the Settings tab in the Group 
Policy results report to see which 
settings "won" and are being pro¬ 
cessed. However note that just 
because the RSoP report says the 
setting has been applied doesn't 
actually guarantee that the setting 
was successfully made. It's best to 
sometimes check the underlying 
setting, be it a registry value or 
security setting, to be sure. 

You can also look in the 
Application event log on a given 
Windows system (note that Vista 
puts Group Policy events into 
the System event log and the 
Group Policy Operations log) to 
see additional errors related to 
Group Policy processing. 

With Knowledge 
Comes Power 

Group Policy is complex and 
powerful. By understanding how 
Group Policy is processed, you 
can get a better handle on using 
its power. Remember that Group 
Policy is processed in order of local GPO, AD 
site, domain, then OU (sometimes referred to 
as LSDOU) and that typically, the "last writer 
wins" when there are conflicting settings. Poli¬ 
cies and preferences can affect how policy stays 
on your systems when the GPO is removed, 
and making explicit choices about using each 
is important. The registry policies delivered by 
Microsoft in their standard ADM and ADMX 
files don't typically tattoo the registry, but any 
custom ADMX files you use might. In addition, 
other policy areas such as security do tattoo 
your systems and must be explicitly "un-done',' 
while some policy areas must be told to be 
undone when they no longer apply. Finally, 
if policy is still not doing what you expect, fall 
back to the Group Policy Results wizard in 
GPMC to tell you what's actually going on with 
your problem system and to point you toward 
a solution. 
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Some basic commands will get you 
started with the GUI-less Server 
Core in Windows Server 2008 


w; 





indows Server 2008's Server Core edition is a stripped-down version 
of the OS—a kind of Windows lite that you control from the com¬ 
mand line rather than from a GUI. What are the benefits of such a 
configuration? Server Core's footprint is about SMB, considerably less than 
a full installation of Windows Server. Of course, SMB is just to host the 
OS and any server roles—it doesn't include additional data, such 
as Active Directory (AD) databases, that you might need for a 

f particular server role. Server Core installs only the necessary 
components for any of its supported server roles. This reduces the 
attack surface of the OS, improves its security, and makes it easier to 
maintain and manage (albeit with a reduced armory of tools). New technolo¬ 
gies in Server 2008, notably BitLocker and the read-only domain controller (RODC) functionality, can be 
used in combination with Server Core to provide even better security. 

Are the benefits of reduced resource utilization and improved security offset by a server that some 
might consider hard to set up and administer? A look at the installation process and some basic configuration 

commands will help you get Server Core 
running and connected to your network 
so that you can begin to answer that ques¬ 
tion for yourself 
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Installing Server Core 


Installation and Setup 

Installing Server Core is essentially the 
same as installing the full version of Server 
2008; you simply need to select the Server 
Core entry instead of the Server option 
in the installation program (as Figure 1 
shows). Not only is Server Core instal¬ 
lation extremely simple but, as you i 
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might expect, much faster than installing the 
full edition of the server. 

After installation has finished, you're asked 
to press the usual key sequence of Ctrl+Alt+Del 
to open the logon dialog box. It might be a 
little disconcerting to then be presented with 
the option of logging on as Other User. Only 
one user is enabled by default in Server 
Core, and that's the administrator. Initially, 
no password is defined for the administrator 
account; you must set it the first time you log 
on. To do so: 

1. Click Other User. 

2. In the dialog box shown in Figure 2, 
enter administrator as the username in the 
upper box, and leave the lower (password) 
box empty. Click the arrow to the right of the 
boxes. 

3. Enter a password. 

To log off, simply type logoff at the command 
prompt. 

Give Server Core an IP 
Address and Host Name 

You can assign a static IP address and DNS 
server to a network adapter by using the netsh 
command, the same way you would with the 
full version of Server 2008. To assign an IP 
address, use a command like 

netsh interface ipv4 add address 
"LocaL Area Connection" 

192.168.1.100 255.255.255.0 
192.168.1.11 


where 192.168.1.100 is the IP address, 
255.255.255.0 is the subnet mask, and 
192.168.1.11 is the gateway address. Of course, 
you should enter the full command without 
line breaks on the command line. 

To assign a DNS server, type 

netsh interface ipv4 set dnsserver 
"LocaL Area Connection" 
static 192.168.1.101 

where 192.168.1.101 is the DNS server's IP 
address. 

Rename and Activate the 
Server 

If you want to rename the server, you first need 
to determine the name that was automatically 
assigned during the installation process. Type 
hostname at the command prompt to return 
the server's name, then issue the following two 
commands to change the name and reboot 
the server: 

netdom renamecomputer 
%computername% 

/newname:servercorel 

shutdown /r 

Once Server Core is connected to the Inter¬ 
net, you can activate the server by running the 
following command: 

cscript c:\windows\system32\ 
sLmgr.vbs -ato 



Canci’E 
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Code Name 1_onghom" 
Figure 2: I Logging on for the first time 


Enable Remote 
Desktop 

Probably the two most crucial remote 
tools that you'll want to use with Server 
Core for administration initially are 
Remote Desktop and the Microsoft 
Management Console (MMC) Win¬ 
dows Firewall with Advanced Secu¬ 
rity snap-in. First, I'll show you how 
to enable and use Remote Desktop, 
then I'll address accessing Server Core 
remotely with MMC and the Win¬ 
dows Firewall with Advanced Security 
snap-in. 

Although it's possible to make a Tel¬ 
net connection to Server Core, Remote 
Desktop is the preferred method 


because it provides encryption, network level 
authentication, and other conveniences such 
as cut and paste. But don't get too excited— 
Remote Desktop won't give you a full-fledged 
Windows Desktop from which you can admin¬ 
ister the server. You'll just see a command 
prompt as you would from the console. 

Because there's no command-line tool 
or MMC snap-in from which you can enable 
Remote Desktop on Server Core, you'll need to 
run the scregedit.wsf script that's provided as 
part of Server Core. Scregedit contains various 
functions that are the only means of perform¬ 
ing some tasks such as setting the size of the 
page file, enabling Terminal Services, and 
product activation. To run scregedit on Server 
Core, use the command 

cscript c:\windows\system32\ 
scregedit.wsf /AR 0 

If you want to access Server Core by using 
Remote Desktop from a Windows OS other 
than Vista, replace the /AR 0 switch with /CS 
0. To see the full list of scregedit's possibilities, 
type the command 

cscript c:\windows\system32\ 
scregedit.wsf /cLi 


Authenticate to Server 
Core with MMC 

During the initial configuration, or if Server 
Core will be a standalone server, you might 
need to authenticate to it from a remote 
machine by using pass-through authentica¬ 
tion. Some, but not all, MMC snap-ins let you 
specify a username and password when you're 
connecting to a remote computer. 

The easiest way to get access remotely with 
MMC is to create a local user on Server Core 
that has the same username and password as 
the remote account that you're using to run 
MMC. This way, authentication will happen 
transparently. The new user also needs to be 
an administrator on Server Core to gain unre¬ 
stricted access. You can create a user and add 
the username to the administrators group by 
entering the following commands: 

net user /add <username> 

<password> 

net LocaLgroup administrators 
/add <username> 
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If you join Server Core to a domain, you 
should delete this account and use a domain- 
based user for authentication. Whether Server 
Core is a member of a domain or a stand¬ 
alone server, you should consider configuring 
Windows Firewall with Advanced Security to 
restrict which machines can connect remotely 
to Server Core. 

Configure Windows 
Firewall 

To enable the Windows Firewall with Advanced 
Security snap-in on any machine used for 
administration to access a given Server Core 
box, log on to Server Core as an administrator 
and type the command 

netsh advfirewaLL set pubLicprofi Le 
settings remotemanagement 
enable 

To access other remote administration tools, 
such as the MMC Event Viewer snap-in, run 
the following command on Server Core to per¬ 
mit access through Windows Firewall: 

netsh firewall set service 
remoteadmin enable 

After you've made these basic changes to 
Windows Firewall on Server Core, you can use 
the Windows Firewall with Advanced Secu¬ 
rity snap-in from a remote computer for all 


further configu¬ 
ration of Server 
Core's firewall. 

You could addi¬ 
tionally modify 
the firewall rules 
to allow access to 
Server Core from 
specific admin¬ 
istration work¬ 
stations only, if 
desired. To do 
so, you change 
the scope of the 
predefined inbound rules for Windows Fire¬ 
wall Remote Management, Remote Desktop, 
and Remote Administration by setting a list 
of remote IP addresses that are permitted to 
access Server Core. Figure 3 shows setting the 
scope of a Windows Firewall Remote Manage¬ 
ment rule. 

Firewall rules are associated with one of 
three network profiles: Domain, Private, or 
Public. (Server Core uses the Public network 
profile out of the box.) To determine which 
profile is currently active, click the Windows 
Firewall with Advanced Security node directly 
below Console Root in the MMC window. 
You'll see an overview of the firewall's settings 
in the central pane, including information 
about the active profile. If you change the 
scope for a rule that's associated with a profile 
that's not currently active, the changes won't 
be effective. 


remoteadmin by using netsh, as shown earlier. 
The File Server role is installed by default to 
provide access to these administrative shares, 
but you can also install features such as File 
Replication Service (FRS). 

To map a network drive to an adminis¬ 
trative share on Server Core from a remote 
machine, use a command similar to the follow¬ 
ing: 

net use z: \\192.168.1.100\c$ 


Join Server Core to an AD 
Domain 

You can use the netdom command to join 
Server Core to an existing AD domain, as fol¬ 
lows: 



For more information about 
configuring Windows Firewall with 
Advanced Security, see the Security 
Pro VIP article "Windows Firewall 
Shows New Maturity in Vista," April 
5, 2007 (InstantDoc ID 95099) . The 
configuration process is similar in 
Server 2008 and Vista. 


Access the File 
System 

The easiest way to get access to 
Server Core's file system is to use 
Windows Explorer on an administra¬ 
tion workstation and map drives to 
the root administrative shares that 
are enabled by default on Server Core 
(e.g., c$ and d$). You can connect to 
these shares only with an account 
that has administrator privileges on 
Server Core, and you must enable 


netdom add <machine name> 
/domain:<domain name> 
/userd:<user name> 
/passwordd:<password> 


Install Server Roles and 
Optional Features 

Server Core supports the server roles Active 
Directory Domain Services, Active Direc¬ 
tory Lightweight Directory Services (AD 
EDS), DHCP Server, DNS Server, Pile Ser¬ 
vices, Print Server, Streaming Media Services, 
and Web Server (IIS), among others. Por a 
full list of server roles and other supported 
features, go to www.microsoft.com/windows 
server2008/servercore.mspx. 

With the exception of the Active Directory 
Domain Services role, you install server roles 
and features by using the ocsetup command. 
To list the server roles and features currently 
installed, run the odist command. The syntax for 
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ocsetup is the same for both roles and features. 
The ocsetup command-line tool is case sensi¬ 
tive, but you can get the correct capitalization 
for a server role or feature from the output of the 
oclist command (which Figure 4 shows). The 
following command installs Windows Backup: 

start /w ocsetup 
WindowsServerBackup 

Using the /w switch with the start command 
gives the user an indication of when ocsetup 
has finished installing the new role or feature 
by preventing further input at the command 
prompt until installation is complete. It also 
stops the user from running another command 
while ocsetup in running. 

To promote Server Core to a DC, you need 
to generate an unattended .txt file on a full ver¬ 
sion of Server 2008 and then run dcpromo as 
shown below on Server Core: 

dcpromo 

/unattend:<unattendfiLe.txt> 

Other Ways to Administer 
Server Core 

As if these weren't enough ways to administer 
Server Core remotely, you can make use of 
Windows Remote Shell (WinRS) in Vista. The 
WinRS client passes commands to a WinRS 
listener on Server Core, which in turn passes 
the commands to a prompt, captures the 
output, and passes it back to the WinRS client. 


To configure WinRS on Server Core, run the 
following command: 

winrm quickconfig 

This command will prompt you to perform a 
couple WinRS configuration steps. 

Below is an example of a command being 
run against Server Core remotely by using 
WinRS. You should note that this command 
line is for a machine that's a DC or domain 
member: 

winrs -r:http://<servername> 
ipconfig 

The one big disadvantage of WinRS is that it 
can't run commands interactively. 

You can also use administration tools such 
as the Windows Management Instrumenta¬ 
tion command line (WMIC) and PowerShell 
by means of WMl calls to manage Server Core. 
Unfortunately, Server Core doesn't support 
PowerShell directly at the time of writing (as 
of Server Core RCO) because PowerShell relies 
on the .NET Framework. Hopefully, both will 
be supported in a future release. 

I found it a little 
odd to be able to 
run regedlt but 
not dcpromo. 

Activate Automatic 
Updating 

You can activate automatic updating on Server 
Core by using scregedit to modify the registry 
and then restarting the Windows Update ser¬ 
vice, as follows: 

cscript c:\windows\system32\ 
scregedit.wsf /au 4 
net stop wuauserv 
net start wuauserv 

As of Server Core RCO, scregedit with the /au 4 
switch sets the time for checking updates to the 
default of 3 a.m. In Server2008, /au 4 also reboots 
the server automatically if the updates require it. 
You can disable automatic updating by using the 
/au 1 switch and then restarting the Windows 
Update service. To check the value set for /au, 
use the /au and /v switches in sequence. 

To force an immediate check for updates. 


you can use the wuauclt command as follows: 
wuaucLt /detectnow 

Run Antivirus and Other 
Applications 

Windows Installer is supported on Server Core, 
so you can use the msiexec command to install 
antivirus and other third-party applications if 
required. (And who wants to run a server with¬ 
out proper antivirus and backup software these 
days?) Before you deploy any such solution, 
though, you should check that it's officially 
supported on Server Core by contacting the 
vendor. 

You can run at least two Windows-based 
applications from the console: notepad and 
regedit. These are useful tools, but 1 found it 
a littie odd to be able to run regedit but not 
dcpromo, with its simple GUI. 

Potential Not Yet Fully 
Realized 

One of the biggest potential uses for Server 
Core—as a Web server—is unlikely to be 
realized with the current incarnation of the 
product due to its lack of support for the .NET 
Framework. Other uses, although limited, 
could be practical in situations that don't 
require frequent changes to server configu¬ 
ration, such as an RODC. Given the trend 
towards virtualization. Server Core and the 
hypervisor feature in Server 2008 (a software 
virtualization layer that sits between the hard¬ 
ware and the OS) together could prove to be 
one of the "must have" features of the next 
generation Windows Server. 

The lack of a GUI in Server Core needn't be 
a disadvantage. Once the basic configuration 
has been completed, most other settings can 
be either pushed out automatically by using 
Group Policy if the server is part of a domain or 
by using MMC snap-ins on a remote machine. 
PowerShell is noticeable by its absence, consid¬ 
ering it's Microsoft's latest solution for managing 
Windows from the command line. It's slated for 
inclusion in future versions of the product. 

Despite some of the shortcomings of 
Server Core, the ability to run Windows 
with a significantly reduced footprint has the 
potential to give substantial improvements 
in security, capacity for virtualization, and 
performance. 
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I f you've been administering Windows environments for very long, you're probably 
familiar with Administrative Template (ADM) files. Since the days of Office 97, Microsoft 
has provided ADM files that let you customize the behavior of your Office applications 
using Group Policy (or its predecessor, system policy). With the release of the Microsoft 
Office 2007 system, Microsoft has continued this tradition and put considerable effort 
into making Office 2007 a full citizen within the world of Group Policy. Microsoft has also 
provided tools such as the GPOAccelerator for optimizing Office 2007 security configurations. To 
take advantage of these management capabilities in your Office 2007 deployments, you'll need 
to know how to install the templates and how to use the templates and other tools to create the 
appropriate policy settings for your environment. 


Administrative Templates and Office 

Group Policy Administrative Templates are the usual means of managing Office configurations 
after Office is deployed to your desktops. The Office Administrative Templates let you customize 
the options that are enabled and disabled within each of the Office 2007 applications. 

Deploying Office versions earlier than Office 2007 often involved using the Group Policy Soft¬ 
ware Installation (GPSI) feature, along with custom transform (.mst) files that modified the default 
configuration according to your requirements. However, as Dan Holme noted in "Customizing 
and Deploying Office 2007," May 2007, InstantDoc I D 95433, customizing deployments of Office 
2007 using Group Policy has changed radically. 

Office 2007 uses something called the Office Customization Tool (OCT) to create custom Win¬ 
dows Installer patch (.msp) files thatyou use to customize Office configurations. Therefore, you might 
wonder how the post-deployment configuration of Office 2007 using Administrative Template files 
has changed. The good news is that it has only gotten better: You now have more capabilities for 
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Figure 1: Selecting Administrative Templates to add to a GPO 


configuring and locking down your Office 2007 
deployments than you've ever had. 


Getting the Administrative 
Templates 

You can dowload the Administrative Template 
files fi'om the Microsoft Download Center at 
www.microsoft.com/downloads/details.aspx? 
FamilylD=92d8519a-el43-4aee-8f7a-e4bbae 
bal3e7. Microsoft provides both ADM files and 
the new file format, ADMX, which you need with 
Windows Vista and Windows Server 2008. 


After you've downloaded AdminTemplates 
.exe and extracted the files, you'll see an ADM 
folder and an ADMX folder. (You'll also see a 
folder called Admin, which contains OCT files 
for customizing Office at deployment time; 1 
won't discuss those files in this article.) Within 
the ADM folder, you'll see a number of folders 
named by language code (e.g., de-de for Ger¬ 
many, en-us for US English, es-es for Spanish). 
These are the language-specific versions of the 
ADM files; when configuring Office 2007, you'll 
pick the language folder that matches the ver¬ 
sion of Windows you're running. 



The ADMX folder includes 
language-specific folders in 
addition to the ADMX files. The 
folders contain the language 
resource files (ADMLs) that 
work with the language-neutral 
ADMX files. If you're manag¬ 
ing Office 2007 fi'om a Vista or 
Server 2008 system, these are the 
files you'll need to use. 


Implementing 
the ADM Office 
Templates 

For any version of AAfindows ear¬ 
lier than Windows Vista, you'll 
use the ADM files. Note that in 
pre-Vista versions of Windows, 
ADM files are stored individually 
within each Group Policy Object 
(GPO), so you'll need to perform 
these steps within each GPO that you want to 
implement Office 2007 policies. 

The first thing you need to do to load the 
ADM files for use in Group Policy is open 
the Microsoft Management Console (MMC) 
Group Policy Editor (GPE) snap-in, focused on 
the GPO you want to manage. You can choose 
either a GPO that's part of an Active Directory 
(AD) domain or a local GPO. Right-click the 
Administrative Templates node under either 
Computer Configuration or User Configura¬ 
tion (it doesn't matter which one you use when 
you're adding templates to a GPO), select Add/ 
Remove Templates from the context menu, 
then click Add to browse to the folder of ADM 
files for your language of Office 2007. Note 
that you can select all the ADM files in a folder 
at the same time to load into your GPO, as 
Figure 1 shows. When you click Open in the 
Policy Templates dialog box, the ADM files are 
copied into the GPO and they'll appear under 
the Administrative Templates node of GPE, as 
Figure 2 shows. 

You'll find Office configuration options 
under both the Computer Configuration and 
User Configuration nodes; options under 
Computer Configuration apply to all users 
on a computer where that GPO is applied, 
whereas the ones under User Configuration 
apply to any user object in AD that receives 
the GPO. A potentially confusing circumstance 
is that these ADM files (and the ADMX files 
as well) ship with both true policies, which 
can be fully managed by administrators, and 
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Tired of Nursing 
Your Exchange 
Server? 


Anyone who has given birth to an Exchange 
network knows it can get sick and needs 
some nursing to stay healthy In fact, 72% 
of Exchange Administrators surveyed* have 
“experienced” an Exchange disaster (feels 
like the flu)—^usually from improper feeding 
and care. 


Prevent Hiccups 

GOexchange removes errors, warnings and 
inconsistencies within the database—^before 
major corruption makes the database fail. 

^^GOexchange corrected 2,264 errors 
and 26 warnings. 


Like many databases, constant adding and 
deleting can corrupt an Exchange data file 
so it eventually turns sour. Replicating, 
archiving and backing up the data doesn’t 
stop the stink—it just stores it. You’ve 
got to... 

Fix the Problem 

You may have tried the free utilities to flx 
Exchange. While they help, they are too 
tedious, time consuming and lightweight to 
keep your Exchange baby healthy. You’ve 
tried the milk, now try some meat! 


Paul Ramos, Director IT 

Run, Don’t Crawl 

In addition to flxing the database, 

GOexchange removes sluggishness and 
improves performance by re-indexing and 
delfagmenting the database to permanently 
remove white space and deleted items. The 
end result is increased performance and 
stability with a compact efficient database 
that’s 31 to 55% smaller! Combine this 
with archiving and the database is up to 91% 
smaller—^making it much quicker to backup. 


Created By 



Solutions Inspiring Confidence 


^^Life before GOexchange...was 
an absolute nightmare, late nights, 
long weekends and upset users. 

Marty Grogan, CTO 

Stop The Crying 


Pamper Yourself with GOexchange 

It’s time to try GOexchange, from LucidS, 
the #1 best-selling automated disaster 
prevention and optimization software for 
Microsoft Exchange 5.5, 2000, 2003 and 
2007. As the mother of all Exchange tools, 
GOexchange helps prevent disasters, repair 
problems, improves performance, and 
saves you a lot of time. 

^^Without routine maintenance, 
decreasing performance, 
increased warnings and 
errors accumulate and 
database fragmentation 
transpires, leading to 
Exchange disasters. 

Gartner 


^\.our information stores were reduced 
by 45-50%.^^ 

Dale Huitt, Systems Lead 

Automated Babysitter 

First, GOexchange is easy to setup and use. 
Twenty minutes—^that’s all it takes to get 
your server up and running. Just schedule it, 
and walk away! 

The software notifles the users, validates 
the database, runs the backup, conducts 
a comprehensive system analysis and 
diagnostics, logs the errors, and notifles you 
if it discovers a “stop” error—^then it repairs 
and defragments the database, generates a 
thorough report and schedules the next event. 

You can do some of this work yourself, but 
why waste time doing repetitive maintenance, 
when GOexchange can do it for you—faster 
and more effectively than doing it by hand. 


Why not call now, or visit our resource 
site and learn how to reduce the risk, and 
avoid the pain. Protect your exchange data, 
maximize performance, and spend a weekend 
at home —instead of babysitting Exchange. 




Special Offer 

• Free Software for analysis of your 
Exchange server! 

• Free White Paper—^“Basic Feeding 
of Your Exchange Server.” 

• Free Essential Guide to Exchange 
Preventative Maintenance 

Go to: www.Lucid8.com/GolTPro 
CaM 425.456.8474 
E-mail: Sales@Lucid8.com 
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preferences, which are settings made outside 
of the designed policy keys within the registry. 
Preferences aren't shown hy default in GPE. 
To see all of the policy settings provided by the 
Office templates, you'll need to select View, Fil¬ 
tering in GPE, then clear the Only show policy 
settings that can he fully managed check box 
so that all preferences will appear along with 
the policy settings. Unfortunately, this filter 
doesn't persist, so you'll have to reset it every 
time you launch GPE. 

Implementing the ADMX 
Office Templates 

Vista introduced a major improvement in 
Administrative Template management with 
the ADMX file format, which essentially 
replaces the ADM files with an XML-based 
format for defining new registry-based policy 
settings. One advantage ADMX files provide is 
that GPE no longer requires them to be stored 
in the SYSVOL portion of every GPO in a 
domain, saving space and network bandwidth 
on your domain controllers (DCs) by not hav¬ 
ing to replicate these files within every GPO 
that uses them to every DC. 

To get access to the Office 2007 ADMX files 
on your Vista administrative workstation, you 
can choose fi'om two methods. The first and 
easiest method is simply to copy the ADMX 
files within the ADMX folder to your local 
workstation, placing them in the folder called 
c:\Windows\PolicyDefinitions. Make sure you 
copy only the ADMX files into this folder at this 
point—not all the sub-folders that contain the 
language-specific ADML files, which is the next 
step. Choose the language of ADML files you 
need and copy them into the language-specific 
folder under C:\Windows\PolicyDefinitions. 
For example, if you're using a German-language 
version of Windows, you would copy the ADML 
files within the de-de folder in the Administra¬ 
tive Templates installation into C:\Windows\ 
PolicyDefinitions\de-de. After the files are cop¬ 
ied to the appropriate folders, you'll see them 
underneath Administrative Templates within 
the Computer Configuration and User Configu¬ 
ration nodes when you launch GPE. 

The other option for getting the Office 
2007 ADMX files into GPE is to leverage the 
central store. Vista and Server 2008 support 
looking in a central file share for ADMX and 
ADML files. You don't have to copy these files 
to every administrator's local workstation to 
make them available; if you copy them to a 


single central location in the SYSVOL folder on 
your DCs, they'll be available to all administra¬ 
tors that start GPE in your domain. 

If you don't already have the central store 
in place, you'll need to create it and populate 
it with all the default ADMX and ADML files 
before you copy the Office 2007 files into it. Note 
that when the central store exists in a domain, 
the GPE ignores the contents of C:\Windows\ 
PolicyDefinitions and looks only in the central 
store for ADMX files. If you copy only the Office 
ADMX files into the central store, you'll no lon¬ 
ger see any of the other Windows ADMX files 
in any of your GPOs! The central store is easy to 
create; the steps are described in the Microsoft 
article "How to create a Central Store for Group 
Policy Administrative Templates in Window 
Vista" at support.microsoft.com/kb/929841. 
However, I've created a fi*ee utility that you can 
use to create the central store via a GUI if you 
don't want to perform the task manually. You 
can download the utility at www.gpoguy.com/ 
cssu.htm. 


Using the Templates to 
Lock Down Office 

The Administrative Templates in Office 2007 
provide close to 3,500 different configurable 
settings, which is significantly more settings 
than are available in Office 2003. Having so 
many choices can be bewildering at times. In 
addition, the Explain text that accompanies 
Administrative Templates is notoriously sparse 
in Office templates, meaning you might go 
through a lot of trial and error to find the cor¬ 
rect policy for your needs. 

As a further complication, the Office tem¬ 
plates don't always behave the same as other 
Administrative Templates. For example, if you 
enable a policy in Explorer to lock down a 
certain function, that function—be it a button 
or check box—is usually grayed out so the user 
can't modify it. However, this isn't the case in 
Office. For instance, if you disable background 
saves in Microsoft Office Word 2007, the check 
box for background saves isn't selected when 
you start Word, but it's available for a user to 
select. However, when you next start Word, 
sure enough the option isn't selected—as the 
policy dictates. This behavior can be frustrat¬ 
ing if you don't know to expect it. 

The other unfortunate behavior I've noticed 
is that Office applications, unlike many Windows 
components that are controlled by policy, don't 
dynamically detect changes to policies while 
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Figure 3: Viewing options to disable Excel menu items 


the application is running. For example, in my 
scenario about managing the background save 
feature in Word, if 1 set this policy and a user 
processes the policy while Word is running. 


Word won't immediately make the change, as 
"policy-friendly" applications are supposed to. 
Word won't pick up that change until the next 
time the user starts the application. 


The templates let you disable 
menu elements within Office 
applications. You typically have two 
ways to do this for each application. 
The first way is to choose one of 
the predefined menu options that 
the policies provide. The second, 
and more obscure, way is to use 
custom menu identifiers to restrict 
a particular menu choice. Let's take 
a look at both methods for lock¬ 
ing down an Excel menu option. 
For the first method, navigate the 
console tree in GPE to User Con- 
figuration\Administrative Tem- 
plates\Microsoft Office Excel 2007\ 
Disable Items in User lnterface\ 
Predefined, then select the Dis¬ 
able Commands policy in the right 
pane. Click Properties to display 
the Disable commands Properties 
dialog box where you'll find options to disable 
specific menu items, as Figure 3 shows. 

Now, if you choose the Custom container 
under Disable Items in User Interface, you can 
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define custom commands (menu items) and 
shortcut keys that you want to control. When 
you open the policy setting by double-clicking 
it, it asks for the command bar ID of the com¬ 
mand you want to control. Where do you get the 
ID? The answer isn't altogether straightforward. 
All that Tve found are Visual Basic macros that 
you can run within a given Office application 
to query for particular command bar IDs. For 
example, the Microsoft article "WD2000: How 
to Generate a List of Command Bar Names, 
Captions, and ID Numbers" at support.microsofl; 
.com/kb/243988 describes how you can do this 
for Word 2000, and iVe used the macro fi'om that 
article successfully in Office 2003.1 haven't seen 
any documentation for using it in Office 2007, 
which has the new ribbon menus, but 1 ran the 
macro in Word 2007 and it worked as expected, 
so that's a good sign! 

Securing Office 2007 with 
Group Policy 

In addition to the Administrative Templates for 
configuring features within Office 2007, Microsoft 
has also provided two Group Policy-related tools 
for ensuring that your Office 2007 deployments 
are configured securely. The first of these is the 
2007 Microsoft Office Security Guide, available 
on Microsoft's Web site. The guide includes a 
spreadsheet and set of documents that describe 
in detail the security-related settings within the 
Office 2007 Administrative Templates and how 
you can use them to securely configure your 
Office deployments. 


The other aid for easing the creation of 
Group Policies for securing your Office deploy¬ 
ments is the GPOAccelerator. This tool, which 
you can download from Microsoft, is a Win¬ 
dows Installer (.msi) file that you install on 
your administrative workstation. It includes 
a set of predefined GPOs that you can install 
into an AD domain (probably a test domain 
initially); they provide recommended Office 
2007 security settings for a variety of scenarios. 
GPOAccelerator installs a script called GPOAc- 
celerator.wsf that creates an organizational 
unit (OU) in the AD domain you run the 
script from, then creates GPOs according to a 
number of switches that you specify. 1 ran the 
GPOAccelerator script with the /Enterprise, 
/Lab, and /Vista options and, as Figure 4 
shows, the resulting OU structure, including 
the GPOs, was created under Vista Security 
Guide EC Client OU in my test domain. 

In addition to specifying best practices for 
Office-related Administrative Template set¬ 
tings, GPOAccelerator's GPOs include best 
practices for general security settings, includ¬ 
ing areas such as audit, user rights, and event- 
log settings. These GPOs are a good starting 
point for designing your own GPOs to manage 
Office users. You can tweak and modify the 
settings within these GPOs to meet the needs 
of your particular environment. The key point 
is that Microsoft has done a lot of the hard work 
up front to figure out what security settings you 
need to be concerned with, and that makes 
getting up to speed with your Office 2007 con¬ 
figurations much easier. 


What’s Missing? 

Although the Office 2007 Administrative Tem¬ 
plates include a dizzying array of options 
for managing Office through Group Policy, 
you'll find a few obvious things are absent. 
For example, you can't set up Microsoft Office 
Outlook profiles using Administrative Tem¬ 
plate settings, but you can configure how a 
Microsoft Exchange server behaves after an 
Outlook profile is defined in the user's profile. 
Any settings that aren't stored in the registry as 
types supported by Administrative Templates 
are missing—types such as REG_B1NARY fall 
into this category. 

Perhaps some of these missing Office capa¬ 
bilities will show up when Microsoft makes 
the DesktopStandard PolicyMaker extensions, 
which it acquired in 2006, available to its 
general customers. Those extensions include 
features such as creating Outlook profiles and 
specifying options in Office that the Adminis¬ 
trative Templates don't cover. Let's keep our 
fingers crossed that Microsoft releases them 
sooner rather than later. 

Unprecedented 
Control of Office 

With the release of the Office 2007 Administra¬ 
tive Templates and the 2007 Microsoft Office 
Security Guide and GPOAccelerator, Micro¬ 
soft has added an unprecedented number of 
Group Policy-based configuration options 
for your Office deployments, which you can 
use whether you're running Windows Vista 
or Windows XP. Although you won't find 
every option you might want, with these tools 
Microsoft is getting much closer to providing 
full control of every aspect of Office through 
Group Policy. This is a good thing! More and 
more users are discovering the power of Group 
Policy for configuring their systems, and it 
makes sense for Microsoft to ensure that as 
many of its products and components are 
Group Policy-enabled as possible to reduce 
the number of places you have to go to manage 
your desktops. ^ 

InstantDoc ID 97829 
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Policy resource Web site (www.gpoguy.com) and is 
coauthor of Microsoft Windows Group Policy Guide 
(Microsoft Press). 
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the opportunity to meet with leading 
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Tricks & Traps - Ask the Experts 


Q: I have a Msocache folder on my 
computer. What is it? 

A: When you install Microsoft Office 
2003 and later versions, the installation 
media is copied to the local computer 
into a folder called Msocache. This 
copy of the installation ffies is known 
as a Local Install Source. The Local 
Install Source lets you avoid having 
to insert media when you add Office 
components, repair an installation, 
or add fixes and service packs. The 
Msocache is located on an NTFS 
partition that has at least 1.5GB of fi:ee 
space. If you select the option to Delete 
installation files during the Office 
installation, then the Msocache folder 
is automatically removed. If you want 
to remove the Msocache folder after 
Office is installed, run Windows' Disk 
Cleanup utility, and after it scans the 
drive, select Office Setup Files fi'om the 
Files to Delete list. Click OK. You can 
only remove the Msocache folder for 
an Office 2003 installation; in Office 
2007, the folder is a required part of 
the design. 

InstantDoc I D 97772 

—John Savill 

Q: Tm trying to use Windows 
Deployment Services (WDS) 
to approve devices, but I get an 
Access Denied error. Whaf s wrong? 

A: To approve a device, WDS has to 
create a computer account in Active 
Directory (AD) in the Computers 
container. However, the WDS server 
doesn't have permission to this con¬ 
tainer. To give WDS this permission, 
perform these steps: 

1. Start the Microsoft Manage¬ 
ment Console (MMC) Active 


r ^ 

At a Glance 

Learning about the Msocache 


folder 

63 

Using WDS to approve devices 

63 

Extracting the contents of an 


MSI file 

63 

Controlling password caching in 


OMA 

63 

L_ 




How can I extract the content of an MSI file? 

There are numerous utilities that will extract the content of 
an MSI file (e.g., msidb, which you can download at msdn2 
.microsoft.eom/en-us/library/Aa370083.aspx). However, you 
can also extract the content by performing an administrative 
installation using the Msiexec command with the /a switch 
and specifying a target folder for the extraction, as the follow¬ 
ing example shows: 

D:\temp>msiexec /a mm26_enu.msi /qb TARGETDIR=d:\temp\mmextract 

For more information about Windows Installer command-line 
options, see the Microsoft article “Command-line Options” at 
www.microsoft.com/resources/documentation/windows/xp/ 
all/proddocs/en-us/msiexec.mspx?mfr=true. 

InstantDoc ID 97773 

—John Savill 


Directory Users and Computers 
snap-in. 

2. Right-click the container where 
the computer accounts are created 
(Computers by default) and select 
Delegate Control. 

3. Click Next to the welcome 
screen of the Delegation of Control 
wizard. 

4. You'll be prompted for the user 
or group for whom to add permis¬ 
sions. Click Add. 

5. Click the Object Types button, 
and select Computers. 

6. In the selection dialog box, 
enter the name of the WDS server to 
which you want to give access per¬ 
missions. Click Next. 

7. Under the tasks to delegate, 
select Create a custom task to 
delegate. 

8. Select the Only the following 
objects in the folder option and select 
the Computer objects type check 
box. Select the Create selected objects 
in this folder check box and click 
Next. 

9. Under permissions, give the 
server Read and Write permissions 
and click Next. 

10. Click Finish to grant the server 
access to the Computers container. 

InstantDoc ID 97774 

—John Savill 


Q: We've been testing Microsoft 
Oudook Mobile Access (OMA) and 
have found that our users' pass¬ 
words are being cached. How do we 
control this behavior? 

A: Well, that depends on your users' 
phones. Here's the situation: OMA 
uses Basic Web authentication over 
Secure Sockets Layer (SSL) to send 
an authentication request to users' 
mobile devices, which then can either 
prompt the users for credentials or 
return a cached set of credentials. To 
prevent the annoyance of needing to 
continually retype your password on a 
10-key numeric pad, most cell-phone 
manufacturers include some kind of 
caching mechanism in their phones. 

OMA isn't the one caching authen¬ 
tication information, so you can do 
nothing on the server side to prevent 
the behavior you describe. Whether 
you can clear the cache and stop the 
behavior depends on the phone. Some 
newer phones (e.g., Sony Ericsson's 
T610) include a separate password 
cache that has a shorter lifetime than 
the phone's typical cache. Contact the 
manufacturers of your users' phones 
to determine whether you can control 
those phones' caching behavior. 
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SECURITY VS. REALITY: STEVE RILEY'S PERSPECTIVE 


t STEVE RILEY MICROSOFT 

Always a highlight of Windows Connections, we are once again thrilled to be presenting Steve Riley, 
security evangelist, pundit, and guru. He will share his insightful, expert, and provocative views on the 
reality of security in today's enterprise. 

Steve Riley's career at Microsoft began in 1998 in the telecommunications practice of Microsoft Consulting Services where he worked 
with several ISPs and ASPs to design highly-available network architectures, develop hosting platforms for various custom and off-the- 
shelf applications, and deploy complex multi-site VPNs. His specialization in security led him next to the security consulting practice, 
where he worked with many customers to conduct security assessments and risk analysis, deploy technologies for attack prevention and intrusion detection, 
and assist with occasional incident response efforts. Steve is now a product manager in Microsoft's Security Business Unit. He is a frequent and popular speak¬ 
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nology, Steve spends time with customers to better understand the security pain they face and show how some of that pain can be eliminated. Steve's tech¬ 
nical specialties include network and host security, communication protocols, network design, and information security policies and process. 
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rent state of Windows. 
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other alpha geeks is that he knows how to explain things to normal humans and often make them laugh while doing it. He's probably best known for his books. 
Mastering Windows NT Server (Sybex), Mastering Windows 2000 Server, and The Compiete PC Upgrade and Maintenance Guide and his columns in 
Windows IT Pro. Mark has also authored 17 other technology books, spoken on technical topics in 20 countries, and written and appeared in a dozen techni¬ 
cal education videos. His most recent works are Mastering Windows 2000 Server, Third Edition and Mastering Windows XP Professionai. He has also writ¬ 
ten Linux for NT/2000 Administrators and a seventh edition of Mastering Windows NT Server 4.0. 
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MICROSOFT EXCH 

SESSIONS PRESENTED 
BY MICROSOFT 


MICROSOFT DAY • MONDAY, APRIL 28, 2008 • MICROSOFT DAY 


EXCHANGE SERVER 2007 SPl OVERVIEW 
MICROSOFT 

This session will introduce the latest changes to be introduced in the first serv¬ 
ice pack for Microsoft Exchange Server 2007. This service pack includes new 
features such as Standby Continuous Replication (SCR) as well as extensions to 
existing functionality such as Public Folder access in Outlook Web Access. 

EXCHANGE SERVER 2007 SPl DEPLOYMENT PLANNING 
MICROSOFT 

Exchange Server 2007 brings with it many new concerns for implementation 
given the new 'roles-based' nature of the product. Migration approaches are 
necessarily different from previous versions too, given new hardware 
dependencies. In this session, we take a comprehensive look at all of the new 
requirements and techniques. This session has been updated to include SP1- 
specific content. 

MICROSOFT EXCHANGE 2007 ARCHITECTURE AND DESIGN 

AT MICROSOFT 

MICROSOFT 

Ever wondered how a large enterprise plans and implements design and archi¬ 
tecture of its next generation of messaging system? Join us in this session 
where engineers from the Microsoft IT messaging team will uncover the details 
on how Exchange 2007 infrastructure was introduced and fully deployed in a 
120,000+ mailbox production environment. Topics will include: messaging topol¬ 
ogy design, hardware planning for various Exchange server roles. Client Access 
Server and Mobility scenarios. Transport architecture. Mailbox server and stor¬ 
age designs, backup, restore and high availability strategies. 

MICROSOFT WINDOWS POWERSHELL SCRIPTING FOR 
MICROSOFT EXCHANGE SERVER 2007 
MICROSOFT 

This session covers the new Windows PowerShell-based Exchange cmdiine and 
scripting interface. Learn how to convert your multiple page Visual Basic and 
COM scripts to mere one-liners in Microsoft Exchange 2007. We cover the basics 
of the management shell, as well as the underlying design and key concepts. 
Additionally, we go into more depth on how to build larger scripts that can be 
used to automate small and medium, as well as enterprise business scenarios. 

MESSAGE SECURITY AND HYGIENE IN EXCHANGE SERVER 2007 
MICROSOFT 

Come to this session and find out how Exchange Server 2007 can authenticate 
and encrypt mail within your network. Put your questions to the experts and 
learn how anti-spam and antivirus can be deployed with Exchange Server 2007 
in your environment. Are you interested in how you can maintain system 
integrity by adjusting spam and virus settings and implementing the appropri¬ 
ate security policies? Ask questions and work through real world scenarios with 
Microsoft's experts to discover how end-users can also manage junk email. 

EXPLORING COMPLIANCE IN EXCHANGE SERVER 2007 
MICROSOFT 

As e-mail becomes the standard of business communication, companies are 
increasingly looking for better ways to control their messaging systems. Not 
only is the sheer volume of e-mail a challenge, but the information stored in 
them is generally unregulated and can leave a company exposed to litigation. 

In this session, you'll learn how to deploy compliance and policies within your 
environment using the various capabilities in Exchange Server 2007. You'll see 
how you can provide end-users with the capability to keep what needs to be 
kept; and to expire what is no longer valuable by implementing a Messaging 


Records Management solution. You'll also learn how transport rules, transport 
journaling and other capabilities in Exchange Server 2007 can be used to help 
your organizations achieve compliance. 

HIGH AVAILABILITY FOR EXCHANGE SERVER 2007 SPl 
MICROSOFT 

E-mail has become mission-critical for the large and the small. Businesses and 
organisations of all types can no longer afford the extended outages of disas¬ 
ters like failed disks, corrupt databases, failed servers, or power outages. 
Microsoft Exchange Server 2007 provides simplified in-the-box high-availability 
solutions that make recovery from many disasters barely noticeable to end 
users. Learn how Local Continuous Replication, Cluster Continuous Replication, 
Standby Continuous Replication and Single Copy Clusters provide fast recovery 
for events that used to be called disasters. 

STRATEGIES IN DISASTER RECOVERY: FROM DISK TO SITE 
FAILURE FOR MICROSOFT EXCHANGE SERVER 2007 
MICROSOFT 

Disasters can range from single database corruption to natural disasters that 
take out an entire datacenter. Are you prepared for the set of outages that can 
affect your e-mail service or data availability? Have you defined your strategies 
for the small to the big outage? This session covers the range of disaster 
recovery strategies possible in Microsoft Exchange Server 2007, culminating in 
the ultimate of all disasters - recovering from a full site failure. 

EXCHANGE SERVER 2007 UNIFIED MESSAGING: FEATURES 

AND DEPLOYMENT 

MICROSOFT 

Microsoft has included Unified Messaging natively in Exchange Server 2007. In 
this session, learn about the features, benefits, and architecture of Exchange 
Unified Messaging. See how Exchange can take voicemail and fax messages; 
how you can call in over any phone to access your voicemail, e-mail, calendar, 
or contacts; how you can build automated attendants; and how speech access 
is integrated into the product. Learn how easy it is to configure and deploy 
Exchange Unified Messaging for your organization. 

EXCHANGE UNIFIED MESSAGING: PBX CONNECTIVITY 
MICROSOFT 

Think Unified Messaging is hard to deploy? Think again! This session will pro¬ 
vide an overview of the technical components of Exchange 2007 UM, explain 
how UM connects to PBX and IP PBX equipment, and sample configurations of 
simple UM deployments, all in one session! 

EXCHANGE 2007 SPl: EXCHANGE ACTIVESYNC AND OUTLOOK 

WEB ACCESS 

MICROSOFT 

This session covers enhancements to OWA and EAS in Exchange Server 2007, 
with particular attention to SPl. See highlights of new SPl features in both OWA 
and EAS: e.g., public folders, rules, calendar views and auto-discovery. Hear 
about the latest mobile scenario security enhancements. Learn about the latest 
updates to the EAS-OWA better together mobile experience. Get guidance on 
managing these features. Discover why OWA and EAS together give information 
workers the most powerful Exchange mobile experience. 

EXCHANGE SERVER 2007 SPl: TIPS AND TRICKS 
MICROSOFT 

This session will provide information on how to get more out of Exchange 
Server 2007 and Exchange Server 2007 SPl. It includes tips and tricks on con- 
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figuring Exchange, managing Exchange, using the Exchange Management 
Shell, and more! 


UNIFIED COMMUNICATIONS 


INTRODUCING OFFICE COMMUNICATIONS SERVER 2007 AND 

OFFICE COMMUNICATOR 

MICROSOFT 

Software-powered VoIP will power the next generation of streamlined business 
communications. Without expensive infrastructure and network upgrades. 

Office Communications Server 2007 delivers software-powered VoIP, Web con¬ 
ferencing and enterprise instant messaging along with a rich Presence plat¬ 
form. See how Office Communications Server 2007 enables users to find and 
communicate with the right person, right now, from the applications they use 
most whether at the office, at home, or on the road. 

MICROSOFT OFFICE COMMUNICATIONS SERVER 2007 

ARCHITECTURE AND DEPLOYMENT 

MICROSOFT 

This session will describe the unified communications architecture behind 
Office Communications Server 2007 as well as the logical and physical deploy¬ 
ment models for the servers. Join us for the session to hear about new capabil¬ 
ities delivered by Office Communications Server 2007. We will be discussing 
core architecture, server roles and decisions you have to make when planning 
and designing your Office Communications Server 2007 deployment. Sessions 
will include deployment best practices and demos. By the end of the session 
you should have enough background information to start thinking about your 
own deployment regardless of the size. 

PLANNING VOICE ARCHITECTURE AND DEPLOYMENT IN OFFICE 

COMMUNICATIONS SERVER 2007 

MICROSOFT 

This session will cover the different voice related components from an architec¬ 
tural perspective, dialplan and routing concepts with specific examples and 
guidelines, voice deployment scenarios that are supported in Office 
Communications Server 2007 

ADMINISTRATION AND MANAGEMENT OF OFFICE 
COMMUNICATIONS SERVER 2007 
MICROSOFT 

Office Communications Server 2007 offers an intuitive and an extensible man¬ 
agement interface. Come and ask the experts how you can completely manage 
your Office Communications Server infrastructure with low overhead. In this 
interactive session we will take questions on the automation capabilities of the 
Office Communications Server management interface. Do you want to know 
how it integrates with Microsoft Operations Manager? Come and ask and how 
you can use it to monitor your Voice quality. 

SESSIONS AND SPEAKERS ARE SUBJECT TO CHANGE. 

SEE WEB SITE FOR UPDATES AND ADDITIONAL SESSIONS. 


MICROSOFT'S WEB CONFERENCING SOLUTION 
MICROSOFT 

Learn about Web conferencing technology provided by Microsoft Office 
Communications Server 2007 and the Office Live Meeting service. Microsoft's 
Web conferencing technology helps businesses connect disconnected organiza¬ 
tions with tools for online meetings, events, training, and collaboration while 
offering choices for deploying this functionality via on-premise server or hosted 
service. See demos of rich Web conferencing features, such as rich media, two- 
way audio, and live panoramic video with Microsoft Roundtable. Understand the 
differences at a feature level between the on-premise and the service offerings. 

DEPLOYING AND MANAGING YOUR UC DEVICES: TANJAY, 

CATALINA, ROUNDTABLE 

MICROSOFT 

In this session you will learn about how to deploy and manage UC Devices, that 
is Office Communicator Phone Edition (codename "Tanjay") and Microsoft 
RoundTable. These devices are designed to be plug-and-play and they are, but 
there are a number of infrastructure requirements for it to work. You will learn 
about these infrastructure requirements (DHCP, DNS, NTP, Certificates, Exchange 
2007) and we will explore in detail the OCS 2007 Software Update Service. This 
component is able to update UC Devices with new firmware and in general 
includes a number of additional management features for UC Devices. After this 
session you will be able to understand what is needed to deploy UC Devices and 
you will know how to maintain the devices. 

SOFTWARE POWERED VOIP: TOPOLOGY AND CONFIGURATION 
MICROSOFT 

In this session we will start with everything outside of the server, the wider envi¬ 
ronment to which Office Communications Server will integrate and planning for 
deployments of Office Communications Server (Office Communications Server) 
2007. We will present the different enterprise environments that you will find on 
customer sites and the scenarios to integrate Office Communications Server 
2007 with each of the different environments. You will learn about where to 
place Mediation Server and Gateways, which Gateways are supported, and how 
to provision the gateways for optimum capability. Eollowing this you will also 
learn about everything inside the server, including Location profiles. Number 
Normalization rules. Reverse Number Lookup and how to configure routes on 
Office Communications Server 2007. You will learn how to restrict users from 
dialing unauthorized numbers by using phone usages and what you have to con¬ 
sider when you deploy in conjunction with existing PBX environments. 

MIGRATING FROM MICROSOFT OFFICE LIVE COMMUNICATIONS 
SERVER (LCS) 2005 TO OFFICE COMMUNICATIONS SERVER 
(OCS) 2007 
MICROSOFT 

Migrating an LCS 2005 SP1 environment to Office Communications Server 2007 
requires careful planning for server deployments and client deployments. The 
session will present the most important aspects that drive the deployment and 
migration strategies and provide recommendations on how to accomplish a 
successful migration. 


DIVE INTO THE NEW RELEASES WITH MICROSOFT 
ARCHITECTS AND INDUSTRY EXPERTS! 
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SOMETIMES SIP JUST AIN'T ENOUGH 
MICHAEL PRZYTULA 

This session will look at some of the issues you 
can encounter when natively integrating IP-PBX's 
with OCS Enterprise Voice functionality, such as 
dealing with E.164, RNL, backboning multiple IP- 
PBX' via OCS, number normalization, and many 
other interoperations issues as well as the ways to 
work around some current native limitations. 

MONITORING OCS WITH MOM AND 
QOE SERVER 
MICHAEL PRZYTULA 

What is the Quality of your Users' experience (and 
the people they call) since you have deployed OCS 
to provide your companies voice services? Is the 
service stacking up against the quality of calls you 
had on your traditional PBX before OCS? This ses¬ 
sion will look at how you can use the combination 
of MOM and the OCS QoE Server to analyze your 
organization's use of OCS Voice and Video servic¬ 
es, pinpoint any poor quality hotspots and take 
moves to address them. 

OPTIMIZING MICROSOFT ROUNDTABLE 

DEPLOYMENTS 

MICHAEL PRZYTULA 

The ultimate Plug-and-Play device, right out of 
the box, you can plug it in and start using its 
360° panoramic video and VoIP capabilities; how¬ 
ever, there is much more you can do to further 
optimize your experience with Microsoft 
RoundTable. This session will look at the finer 
points of tuning RoundTable to provide the most 
optimized experience in rooms of different 
shapes, sizes, configuration, lighting conditions, 
and even different countries! Using details from 
this session, you will be able to enhance your 
users' collaboration experiences even more! 

WINDOWS FAILOVER CLUSTERING FOR 
EXCHANGE ADMINISTRATORS 
JUERGEN HASSLAUER 

In the past the majority of Exchange deployments 
used standard servers so many Exchange adminis¬ 
trators have limited exposure to clustering tech¬ 
nologies. With the introduction of Cluster 
Continuous Replication (CCR) in Exchange Server 
2007, the pros and cons for clustering Exchange 
have to be reevaluated. Windows Server 2008 will 
additionally increase the number of clustered 
mailbox server deployments. Therefore, it is nec¬ 
essary that Exchange administrators understand 
the Windows Eailover Clustering concept. This ses¬ 
sion describes the different cluster architectures 
used by the two implementation alternatives for a 
Clustered Mailbox Server (CMS) in Exchange Server 
2007, CCR, and Single Copy Cluster (SCC). You will 
learn how Windows Server 2008 simplifies the 
setup and management of a cluster and what you 

www.WmConnections.com 


have to consider for a geographically dispersed 
deployment of a CMS. 

EXCHANGE SERVER 2007 CONTINUOUS 
REPLICATION 

JUERGEN HASSLAUER 

Exchange Server 2007 supports continuous data 
replication and enables administrators to create a 
second copy of the data stored in the information 
store. We will discuss Local Continuous Replication 
(LCR), Cluster Continuous Replication (CCR), and 
Standby Continuous Replication (SCR). You will 
learn how you can use these application built-in 
replication methods for geographically dispersed 
deployments. This session will help you to make 
an informed decision about when to use LCR, CCR, 
SCR, or a traditional storage-based replication 
solution from a third-party vendor. 

OFFICE COMMUNICATOR: EXTEND YOUR 
MESSAGING ENVIRONMENT WITH REAL¬ 
TIME COMMUNICATION 
JIM MCBEE 

Many IT managers and professionals equate popu¬ 
lar instant messaging applications with corporate- 
level, real-time communications and thus dismiss 
the concept all together. The quick dismissal of 
this emerging technology may be denying your 
organization powerful new tools for collaborating. 
We are on the verge of a new step in real-time 
communication evolution that will integrate func¬ 
tions of e-mail, calendaring, and instant messag¬ 
ing. Come to this session to learn about some of 
the exciting developments in the convergence of 
and integration between Office Communicator, 
Exchange Server, voice mail, and your telephone. 

EXCHANGE 2007 MIGRATIONS: LESSONS 
LEARNED IN THE FIRST 100 DAYS 

JIM MCBEE 

Eollow the real-life implementation of an early 
adopter of Exchange 2007. This session will start 
with an overview of an organization's Exchange 
2000 architecture and some of their goals for an 
early implementation of Exchange 2007. The ses¬ 
sion will then cover the planning process, server 
consolidation factors, hardware requirements, 
existing software that integrates with Exchange, 
and meeting prerequisites. This session will also 
include many of the hurdles that this organization 
faced in completing their migration. 

EXCHANGE STORAGE SIZING AND 
HARDWARE EXPOSED 

JIM MCBEE 

Some messaging professionals view the process of 
sizing disk capacity as nothing more than tossing 
a lot of disk storage at the Exchange server and 
hoping it will be enough. This approach frequently 
yields poor results. If you have enough disk capac¬ 


ity, there is still no guarantee that you have sized 
the disk I/O capacity necessary to support your 
user community. In this session, you will learn not 
only about the factors that affect disk storage 
capacity, but also how to anticipate the I/O capaci¬ 
ty. Topics include estimating message data stor¬ 
age, determining factors that increase disk stor¬ 
age overhead, calculating I/O capacity, and deter¬ 
mining if you have sufficient I/O capacity for your 
current user community. 

EXCHANGE PROTECTION USING DATA 
PROTECTION MANAGER 
DEVIN GANGER 

Backing up and restoring Exchange servers is an 
essential part of keeping your messaging infra¬ 
structure up and running, even when you're run¬ 
ning an advanced clustering configuration. Why 
should you consider using Microsoft System 
Center Data Protection Manager 2007 to protect 
your Exchange servers and clusters? What config¬ 
urations are supported and what limitations does 
this place on my Exchange design? This session 
covers protecting Exchange 2003 and 2007 
servers' clustered configurations, including the 
new Exchange 2007 replication options. 

DISCOVERY, COMPLIANCE, ARCHIVAL, 
AND RETENTION WITH EXCHANGE 
DEVIN GANGER 

Discovery, Compliance, Archival, and Retention: 
they're challenges every Exchange administrator 
faces. Whether you're using Exchange 2000,2003, 
or 2007, join the author of the Windows IT Pro 
Email Discovery and Compliance e-book to find out 
how to solve these challenges using Exchange. 

Eind out what you can do out of the box and when 
you'll need to invest in third-party software. 

UPGRADING TO EXCHANGE SERVER 
2007: BEST PRACTICES 
DEVIN GANGER 

The common knowledge says that upgrading to 
Exchange 2007 isn't nearly as hard as the upgrade 
from Exchange 5.5. That's not to say that it does¬ 
n't present its own set of challenges-and if you're 
caught by them, it will still feel like getting run 
over by a truck. This session will present some of 
the common gotchas and how to avoid them. Be at 
the head of the upgrade parade, not caught in the 
wheels. This session has been upgraded to include 
the latest information on the SP1 release. 

CUSTOMIZING OUTLOOK WEB ACCESS IN 
EXCHANGE 2007 
WILLIAM LEFKOVICS 

Some enterprises may want to enforce branding of 
Outlook Web Access. A disclaimer or policy state¬ 
ment regarding use of corporate e-mail resources 
may accompany a customized Logon screen. We 
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will also look at creating themes with OWA 2007 
using Cascading Style Sheets (CSS). The tools we 
will use for this adventure include Microsoft 
Expression Web. We will create a custom OWA as 
part of the demo. 

TRANSPORT RULES WITH EXCHANGE 
2007/0UTL00K 2007 

WILLIAM LEFKOVICS 

We will make a CASE (Conditions, Actions, Scope, 
Exceptions) for the value of transport rules and 
how they may be used within an organization. 

This includes the use of ethical walls, appending 
text to messages, and enforcing policy. We will 
also show how Outlook 2007 message classifica¬ 
tion and categorization can be used to further 
empower transport rules. We will compare how 
transport rules differ between the hub and edge 
transport servers and create rules with the 
Exchange Management Console as well as the 
Exchange Management Shell. 

MESSAGE HYGIENE IN EXCHANGE 2007 
AND THE ANTI-SPAM MIGRATION TOOL 

WILLIAM LEFKOVICS 

We'll cover how to implement and configure the 
Transport Agents for anti-spam for Edge or Hub 
Transport servers with emphasis on the layered 
"Defense-in-Depth" approach. We will also cover 
migrating Anti-spam settings from Exchange 
2003 to an Exchange 2007 Edge or Hub 
Transport Server using the Microsoft Exchange 
Anti-spam Migration Tool. We will use both the 
Exchange Management Console and the 
Exchange Management Shell to configure mes¬ 
sage hygiene settings. 

MOBILE DEVICE SECURITY 
JOHN RHOTON 

The biggest obstacle deterring enterprises from 
the deployment of mobile devices is the concern 
around security risks that these devices expose. 
The content is vulnerable since mobility implies 
physical presence in public and uncontrolled envi¬ 
ronments using connectivity that is unmonitored 
and unmanaged by the enterprise. Devices are 
often lost or stolen. Wireless transmissions are 
physically accessible to anyone. Public networks 
may harbor malware, probes, denial-of-service 
attacks, and many other threats that can compro¬ 
mise the device, and potentially through it, assets 
on the corporate network. This presentation dis¬ 
cusses the primary wireless and mobile concerns 
and the mechanisms that can be used to address 
them. It will provide an overview of the products 
offering mobile security solutions and also pro¬ 
poses best practices in developing a complete 
security framework that can enable mobility with¬ 
out unacceptable risk to the enterprise. 


MOBILE DEVICE MANAGEMENT (MDM) 
JOHN RHOTON 

The biggest challenges in initially deploying a mobile 
application are to provide connectivity and security. 
Once this has been achieved scalability becomes a 
growing concern. The infrastructure itself may scale 
very well but any manual process to provision, 
update, and support a large number of devices will 
become very costly. Mobile device management 
includes automatic configuration of mobile devices, 
software deployment, remote configuration and 
updates, inventory, and policy enforcement. This ses¬ 
sion will provide an overview of the OMA-DM (Open 
Mobile Alliance-Device Management) standard, typi¬ 
cal MDM architectures, market leading products 
(including Microsoft System Center Mobile Device 
Management) and provide insight into the chal¬ 
lenges and best practices in deploying MDM. 

POWERSHELL FOR BEGINNERS 

PAUL ROBICHAUX 

The Exchange Management Shell (EMS) is a key 
part of the Exchange 2007 experience. What if 
you're not a scripter? Don't worry; you can still 
get plenty done with EMS after just a little learn¬ 
ing. This session covers the basics of what you 
need to know about how EMS works and what 
you can do with it. 

PROTECTING DOCUMENTS AND E-MAIL 
MESSAGES WITH RIGHTS MANAGEMENT 
SERVICES 

DUNG HOANG-KHAC 

Have you ever wished that your internal e-mail 
messages or confidential documents stored on 
SharePoint would not go into the wrong hands? 
Have you ever been thrilled to know who has 
access to your documents and who does not? 
Come to this session to learn about Active 


Directory Rights Management Services. AD RMS is 
now a Windows component integrated with 
Windows Vista and Windows Server 2008 and is a 
Windows platform protection technology used to 
enable secure collaboration between multiple 
organizations. With AD RMS, you can ensure that 
sensitive documents are encrypted and authoriza¬ 
tion rights are set within the documents. Every 
time a user opens a document, permissions are 
always checked no matter where this document 
resides, inside or outside of your organization! 

CONSOLIDATING MANAGEMENT OF 

EVENT LOGS 

DUNG HOANG-KHAC 

After deploying Exchange 2007, you are enjoying 
management of Exchange servers from a single 
GUI console or from its powerful command line 
interface. However, to monitor events that have 
occurred in an Exchange environment, you still 
need to employ different tools to consolidate 
Exchange events in a central location for further 
analysis. There are several free but unsupported 
tools that help collect event logs from remote 
servers, and then it's up to administrators to 
browse through those files and filter out noise 
events to extract useful information. Wouldn't it be 
nice if the operating system could do the work for 
you? Simply specifying the event IDs you are inter¬ 
ested in monitoring, a group policy that includes 
selected Exchange servers, and a rule to collect 
those events, and then you're done! Come to this 
session to learn about the new event architecture 
and remote management in Windows Server 2008 
and see how you can leverage the new event for¬ 
warding feature to better manage your application 
servers today! By the way, event forwarding also 
works on the Windows Server 2003 environment 
too, so you don't need to wait for an upgrade. 



Enter to WIN 

Enter the contest in the Expo Hall to 

WIN a Harley- Davidson! 

The winner will drive one home. 
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WINDOWS SERVER 2008 OVERVIEW 
MICROSOFT 

Windows Server 2008, in addition to incorporating new capabilities and 
enhancements to existing features, includes a number of improvements in 
the core OS that enhance the Operating System's capabilities in this area. 
Features aimed at increasing the ability of Windows Server 2008 to support 
highly critical workloads by improving operational reliability, reducing system 
failures, and easing management. We will also discuss improvements in other 
related elements in the platform that help Windows based systems and serv¬ 
ices help move an organization's IT Department forward. 

WINDOWS SERVER 2008 VIRTUALIZATION TECHNOLOGIES 
MICROSOFT 

The new Windows Server Virtualization technology, Hyper-V, and Presentation 
Virtualization technologies like Terminal Services RemoteApp are core features 
in Windows Server 2008. This session will provide you an overview of virtualiza¬ 
tion in Windows Server 2008, the scenarios, features, and benefits that make 
server virtualization an important scenario. Virtualization management is 
becoming a critical tool for improving overall manageability for the IT environ¬ 
ment. Join us in this session to learn how Hyper-V and our management tech¬ 
nologies build a strong flexible platform and improve overall manageability. 

WINDOWS SERVER 2008 WEB AND APPLICATION TECHNOLOGIES 
MICROSOFT 

Take a look at all the changes coming in the new, redesigned Internet 
Information Services (IIS) 7 and Windows Web Server 2008. This session 
focuses on new troubleshooting features, a breakdown of architecture and 
security improvements, and the new IIS 7 configuration system, remote man¬ 
agement, extensibility, business value, etc. 

WINDOWS SERVER 2008 SECURITY AND COMPLIANCE 

TECHNOLOGIES 

MICROSOFT 

Windows Server 2008 offers rich capabilities for securing your IT 
Infrastructure and proving tools to ease with compliance mandates. This ses¬ 
sion will discuss the Windows security and compliance features such as 
Network Access Protection, Right Management Services, and Active Directory 
Federation Service subsystem, why auditing is important, and how to config¬ 
ure an audit policy updated Windows Server 2008 event subsystem. 

WINDOWS SERVER 2008 PERFORMANCE AND SCALABILITY 
MICROSOFT 

A discussion of Windows Server 2008 OS performance features, results, and 
references. The presentation will cover the themes behind the performance 
investments on Windows Server 2008 and how they are applicable to real- 
world scenarios. Some of the areas covered are file serving, networking 
advancements, Web and application serving, virtualization, terminal services 
and general scale-up advancements. 


IDENTITY AND ACCESS TECHNOLOGIES IN WINDOWS 

SERVER 2008 

MICROSOFT 

Windows Server 2008 is an advanced operating system that can help you 
maximize control over your infrastructure while providing higher availability 
and management capabilities, leading to a more secure, reliable server envi¬ 
ronment. In this presentation, learn how you can help your organization 
reduce identity and access security risks with Windows Server 2008. We also 
examine how Windows Server 2008 can help you decrease operational costs, 
satisfy regulatory requirements, and deepen relationships with customers 
and partners. 

MANAGEMENT TECHNOLOGIES IN WINDOWS SERVER 2008 
MICROSOFT 

Windows Server 2008 makes significant improvements in server manageabili¬ 
ty with a one-stop administrative solution called Server Manager. This 
streamlined management tool allows IT administrators to complete setup of 
Windows Server using the Initial Configuration Tasks page, and configure and 
manage server roles and features with prescriptive wizards, a unified man¬ 
agement console, and a command-line interface. This session will present and 
demonstrate the configuration and management capabilities of Server 
Manager and introduce some new features of Server Manager in the Windows 
Server 2008 including integration of the Hyper-V role and Remote Server 
Administration Tools. We will also explore how Windows PowerShell, Windows 
Remote Administration, and Event Forwarding can be part of an overall server 
management strategy. 

WINDOWS SERVER AND VISTA : SOLID ENTERPRISE 
MICROSOFT 

In this session, we discuss many new features shared by the Windows Vista 
and Windows Server 2008 operating systems. We start by talking about why 
Windows Server 2008 and Windows Vista are so closely related, and how 
together they enable many new and exciting features that promote more effi¬ 
cient management. We talk about the new features that make data more 
available, such as improvements to offline files, client-side print rendering, 
the transactional file system, and policy-based Quality of Service (QoS). 
Finally, we review such things as the new TCP/IP stack and Server Message 
Block (SMB) 2.0 protocol that speed network communications in Windows 
Server 2008 and Windows Vista. Attend this session to learn how Windows 
Server 2008 and Vista work better together. 

SESSIONS AND SPEAKERS ARE SUBJECT TO CHANGE. 
SEE WEB SITE FOR UPDATES AND ADDITIONAL SESSIONS. 


Replicate server images to remote locations 
for rapid recovery in disaster scenarios! 
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WSE201: REIMAGINING FILE SHARE 
SECURITY AND MANAGEABILITY 
DAN HOLME 

Windows Server 2008 improves on the solid per¬ 
formance and functionality of previous versions 
of Windows file services. Features such as file 
screens, quotas, DFS Namespaces, access-based 
enumeration, and the powerful new Owner Rights 
identity are important pieces of the puzzle. But 
to implement the perfect file server, you need 
more. You need the ability to answer the ques¬ 
tions, "Who has access to this file?" and "What 
can John Doe get to?" Get the free tools and 
scripts you need for a more manageable file 
server. This session will cover: Changes to the 
capabilities and functionality of security user 
interfaces and NTFS permissions: The new Owner 
Rights identity: Access-based enumeration (ABE): 
Symbolic links: Provisioning secured shared fold¬ 
ers: Abstracting the storage and presentation of 
data folders for manageability and security: File 
screens: Quotas: Custom scripts and tools to ana¬ 
lyze and report file and folder access. 

WSE301: ROLE-BASED MANAGEMENT: 
EXTREME MAKEOVER 
DAN HOLME 

Get out of the business of managing individual 
changes in your environment and unleash the 
power of role-based management. If you've ever 
asked, or been asked, "What can [name of user] 
do?" or "Who is able to get to [name of resource 
or application]?", this session is for you! In this 
you will learn how to implement role-based man¬ 
agement, in which users are defined by their 
business roles and where resource access and 
configuration are instantly, accurately, and 
auditably applied. Empower your enterprise to 
enable a documented, auditable structure for 
resource security, asset management, and more. 
Take away methodologies, scripts, tools, and 
guidance that are proven successful in the real 
world. This highly rated session is one of a kind 
and only at Windows Connections. 


WINDOWS TECHNOLOGIES 


WWN322: 64-BIT WINDOWS SERVER 2008 
VERSIONS: WHY SHOULD YOU CARE? 
GUIDO GRILLENMEIER 

In 2008, if you are an IT administrator and you 
are not aware of the ins and outs of 64-bit 
Windows, you have a problem. Driven by the need 
to deploy the 64-bit Windows OS to support appli¬ 
cations such as Exchange 2007, what are the 
challenges you'll face when moving down the 64- 
bit road: What does this mean for your 32-bit 
applications? Will they work and how? Will they 


perform better or worse? When considering 
deployment of Windows Server 2008, should you 
leverage the x64 architecture or move to 
Itanium? What's really the difference between the 
two? Flow does Windows Server 2008 support 
either architecture? This session explains the 
most important things to know about the differ¬ 
ent 64-bit Windows architectures and why you 
should care about them. Special focus will be put 
on 32-bit compatibility challenges and solutions 
as well as discussing deployment scenarios for 
the 64-bit versions of Windows Server 2008. 

WWN323: ACTIVE DIRECTORY DISASTER 
RECOVERY IN WINDOWS SERVER 2008 
GUIDO GRILLENMEIER 

Backing up and restoring your complete Active 
Directory forest-or objects that you have acciden¬ 
tally deleted in a domain-has always been a lot of 
fun with previous versions of the Windows Server 
OS. Come to this session to find out how much 
more fun you can have restoring your AD or specif¬ 
ic objects with Windows Server 2008! Microsoft has 
invested a lot of resources to completely overhaul 
the mechanisms and tools to back up Windows 
Servers in this OS release. This change has various 
impacts on the strategy you use to back up your 
AD Domain Controllers and how you restore them. 

It may even impact how you configure your domain 
controller disk subsystem. But there is a lot of 
good news when it comes to recovering objects in 
AD, which will be demonstrated in detail in this ses¬ 
sion. We'll also discuss those recovery tasks that 
continue to be a challenge. 

WWN321: ADMINISTRATORS' IDOL: THE 
COOLEST SESSION EVER 
DAN HOLME 

OK, the title got your attention at least, right? So 
here's the scoop. Erom his work with thousands 
of IT professionals, from the CIOs of Eortune 
companies to front-line support professionals at 
the Olympic games with NBC, Dan has amassed a 
wealth of tricks to boost your productivity as an 
administrator. In this fast-paced session, Dan will 
share how to build truly amazing administrative 
toolsets that extend your reach, automate 
tedious tasks, and enable your entire IT organiza¬ 
tion to work smarter, faster, and more securely. 
You'll learn tricks that will amaze not only your 
friends and coworkers, but yourself as well. 
Typically part of a post-conference workshop, 
we've brought this gem into the main event as a 
fantastic way to cap off your Windows 
Connections experience. Don't miss it! 

WWN221: BREAKING UP IS HARD TO DO: 
DIVESTING RESOURCES OUT OF YOUR AD 

SEAN DEUBY 

Acquisitions and divestitures are a fact of busi¬ 
ness life. This doesn't mean that moving a busi¬ 


ness unit out of your Active Directory is an easy 
task, however. You have to juggle the technical 
aspects of removing the affected unit's users, 
groups, and computers while keeping disruptions 
of all involved parties to an absolute minimum- 
all without violating either company's informa¬ 
tion security policies. This session will step you 
through a large divestiture based on real-life 
experience, pointing out requirements, pitfalls, 
and best practices along the way. 

WWN220: DNS 2008 STYLE: HOW NAME 
RESOLUTION CHANGES IN SERVER 2008 
INFRASTRUCTURES 

MARK MINASI 

Server 2008's here, and so is DNS, 2008 style! 
What's the story with WINS, is it time to go? Flow 
does 2008's DNS affect Active Directory? What 
about those new "magic" records, the DNAME 
and GLOBALNAMES feature? And most important¬ 
ly, how the heck do I administer a DNS server 
running on Server Core? Eind out with the Master 
of Name Resolution, Mark Minasi! 

WSE302: INCREASING THE SECURITY IN 
YOUR ACTIVE DIRECTORY USING 
WINDOWS SERVER 2008 
GUIDO GRILLENMEIER 

Active Directory has received various security 
updates in Windows Server 2008, some of which 
are hard to miss, such as the capability to 
deploy Read-Only Domain Controllers (RODC). 
Flowever, there are plenty of other enhance¬ 
ments hiding under the hood that AD adminis¬ 
trators should know about to further tighten the 
security in their AD infrastructures. This includes 
features such as Owner Access Restriction, Eine 
Grained Password Policies, various updates 
around the Auditing capabilities of Active 
Directory, and the Admin-Role Separation fea¬ 
ture for RODC. This session will explain how best 
to leverage the various new features to ensure 
the operation of a secure Active Directory with 
Windows Server 2008. 

WWN222: MIGRATION STRATEGIES FOR 
WINDOWS SERVER 2008 
SEAN DEUBY 

Whether you're in the role of a single server 
administrator or owner of a corporate Active 
Directory, upgrading to Windows Server 2008 
requires thorough planning and testing. This ses¬ 
sion will review different migration strategies for 


Understand administrative 
tempiates (ADM and 
ADMXfiies)! 
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several Windows Server 2008 roles, with a focus 
on upgrading your Active Directory forest. 

WWN325: NOW THAT YOU'VE GOT IPV6 
(IN VISTA AND 2008), WHAT TO DO 
WITH IT? 

MARK MINASI 

Vista has arrived. 2008's arrived. And with them 
they bring...lPv6. Your first reaction when you see 
an IPv6 address like ''fe80::5efe:10.50.50.112'' might 
be "hmmm... that's a lotta colons, and I KNOW 
what comes out of colons!," but is that the RIGHT 
reaction? Join veteran Windows explainer Mark 
Minasi in a look at the latest version of IPv6... and 
whether you'll want to leave it on or turn it off. 

WWN101: PLANNING FOR WINDOWS 
SERVER 2008 AND VISTA LICENSING 
SEAN DEUBY 

Any rollout of Windows Server 2008 or Vista 
requires planning for Volume Activation 2.0. If 
you don't, your systems will grind to a halt a 
month after you've deployed them. You have to 
make a number of design decisions for your VA 
2.0 infrastructure: this session will provide you 
with key information from practical experience to 
help you plan. 

WWN326: SERVER CORE STEP BY STEP: 
GOING COLD TURKEY ON THE GUI 

MARK MINASI 

For years you've known it: you've just GOT to get 
more familiar with the command line. You get 
things done faster, you can create simple batch 
files for automating many tasks, and, best of all, 
when you're working from the GUI, your boss 
starts to think: "Hey, what IS that thing he/she's 
using? We need to pay techie employees like them 
more money!" Well, Windows 2008's command- 
line-only Server Core's arrived, so here's your 
opportunity. Building on his popular "Command 
Windows from C: Level" talk, Mark Minasi walks 
you through the process of building a Server Core 
server from setup to initial configuration to full¬ 
blown DNS, Active Directory, and more. 

WWN327: WHY UPGRADE TO SERVER 2008? 
FOR THE NEW AD BENEFITS, MOSTLY 
MARK MINASI 

Why upgrade to 2008? Heck, we could just wait 
for SP1, right? Maybe not. 2003's Active Directory 

Implement role-based 
management for dramatic 
increases in manageability, 
security, auditability 
and compliance! 


is pretty good, but, honestly, it could be better. 
Branch office DCs are a real pain, both from a 
security and a bandwidth point of view. But 
Server 2008 offers some relief with the concept 
of a "read-only domain controller" that flexes 
Kerberos' muscles in a way that Windows hasn't 
really before. You'll get the ability to dial in 
exactly which user accounts are stored on a 
branch office DC, as well as new encryption 
options to make it theft-proof. But that's not all- 
DCPROMO gets a facelift and, well, it needed it. 
Even better, AD actually comes with a disaster 
recovery tool... neat, eh? Come to this session 
presented by Windows expert and bestselling 
author Mark Minasi to find out whether or not 
the bundle of AD benefits might be the thing that 
sells you on 2008! 


POWERSHELL 


WP0201: MANAGING DIRECTORY 
SERVICES WITH WINDOWS POWERSHELL 
(BRING YOUR OWN LAPTOP) 

JEFF HICKS 

In this session we'll explore the different 
approaches you might need to manage directory 
services with PowerShell. Not only will we look at 
Active Directory management, but we'll also dis¬ 
cover how to manage local users and groups 
through PowerShell. Our exploration will include 
native PowerShell functionality, a smattering of 
Exchange 2007, and free third-party PowerShell 
extensions. 

WP0202: MANAGING SERVERS AND 
DESKTOPS WITH WINDOWS POWERSHELL 
AND WMI 
JEFF HICKS 

Although PowerShell is an incredibly valuable 
administrative tool, a major feature is its sup¬ 
port for Windows Management Instrumentation 
(WMI). In this session we'll review what WMI is 
and why you should care. Then we'll delve into 
the different ways you can leverage WMI in 
PowerShell to gather a great deal of system 
information and to configure and manage sys¬ 
tems as well. 

WP0101: POWERSHELL IN WINDOWS 
SERVER 2008 
JEFF HICKS 

Windows Server 2008 promises to change the 
way we manage our servers once again. 
PowerShell also will be changing the way we 
manage our servers. In this session we'll discover 
how PowerShell and Windows Server 2008 work 
together, what it takes to make them work 


together, and how you can get the most out of 
the combination to simplify your life. 


BUSINESS 


WIB201: EVERYTHING YOU NEED TO 
KNOW ABOUT STORAGE TECHNOLOGIES 
BUT WERE AFRAID TO ASK 

ALAN SUGANO 

If your company is like most companies, you are 
probably running low on disk space as storage 
hungry applications eat up disk space like contest¬ 
ants in a pie-eating contest. But what's the best 
solution for your company? With the advent of 
newer drive interface technologies like Serial 
Attached SCSI (SAS) and Serial ATA (SATA), there is 
a lot more to choose from when selecting a stor¬ 
age solution. This session will cover the storage 
basics of locally attached storage, network 
attached storage (NAS), just a bunch of disks 
(JBODs), and storage area networks (SANs), what 
they are, where they are typically used, and how 
they fit into a comprehensive storage strategy for 
your company. We'll also look at the enhancements 
to Windows Storage Server (WSS) that are sched¬ 
uled to be released with Windows Server 2008. 


DEPLOYMENT, GROUP POLICY, 
MANAGEMENT 


WID201: GROUP POLICY 2.0 PART I: 

NEW GOODIES 
JEREMY MOSKOWITZ 

What's new in Group Policy? Short answer: lots. 
With Microsoft releasing Windows Server 2008 
there are hundreds of new settings, plus the 
biggest bombshell to hit Group Policy since 
Group Policy itself: the new Group Policy 
Preference Extensions! So come hear the essen¬ 
tial "What every admin absolutely needs to 
know" about Windows Vista and Group Policy. 
Learn why you need a Windows Vista manage¬ 
ment station. Learn how to get out of burning 
5MB per GPO on each DC. Learn about the new 
things you can do (like power management and 
USB port management)-only for Windows Vista 
clients. See the 20-odd new "big things" 

Microsoft has gifted every administrator. If you 
have even one Windows Vista client that you're 
going to deploy, you positively must come to this 
session to learn the ropes from Jeremy 
Moskowitz, Group Policy MVP. (Note that some 
material in this session is covered in Jeremy's 
pre-conference workshop.) 

WID302: GROUP POLICY 2.0 PART II: 
TROUBLESHOOTING 

JEREMY MOSKOWITZ 

In Part II we'll discover how the beauty of Group 
Policy changes is not skin deep. There are some 
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basic and detailed changes lying under the 
hood. And Jeremy Moskowitz of GPanswers.com 
and author of Group Policy: Management, 
Troubleshooting and Security is just the guy to 
bring it to you. In this session, you'll learn why 
you can't just run gpresult.exe any more and get 
the results you want. You'll discover what hap¬ 
pens if you reconnect to the network after a 
long absence. You'll learn how to crack open the 
new Vista event log and trace Group Policy flow 
to figure out what might be going on. You'll 
learn how other areas, like Offline Files and 
Group Policy Software Installation, can be 
tweaked to give you just the information you 
need to fix what ails you. If you're looking for 
Group Policy answers to your troubleshooting 
questions, this is the session for you. (Note 
there is some material that is also covered in 
Jeremy's pre-conference workshop.) 


VIRTUALIZATION 


WVI205: INCORPORATING VIRTUALIZATION 
INTO DISASTER RECOVERY 

ALAN SUGANO 

A comprehensive Disaster Recovery Plan is some¬ 
thing that every company should have and hope¬ 
fully will never have to use. Having a plan in 
place that provided a road map to recovery was 


adequate in the past, but recent emphasis has 
been placed on the speed of the recovery. 
Sarbanes-Oxley (SOX) compliance companies 
must disclose their business continuity plans and 
the company's exposure to a prolonged outage 
and how it affects financial reporting. 
Virtualization can significantly reduce the recov¬ 
ery time for a major disaster, by providing a 
warm or hot remote recovery site and accelerate 
workstation and server setup. 

WVI104: SOFTGRID 101 

JEREMY MOSKOWITZ 

Let me guess: your machines just "blow up" now 
and again. And I know why. It's because you have 
a zillion applications on them with a half a zillion 
conflicts and things just "deteriorate" over time. 
Wouldn't it be neat if you could just eliminate 
that problem altogether? Well, with Microsoft's 
newest acquisition, Softgrid, you can. It works by 
"wrapping up" your existing software into 
"sequences", and then putting them into a virtual 
sandbox. The upshot? Your applications aren't 
running "on" Windows. They're running within the 
sandbox. So, no more desktop deterioration. 
Softgrid is a big place, but come to this session 
to make sure you know the ins and outs before 
you get it in your organization! 

WVI206: VIRTUALIZE NOW! 

RICK WATSON 

This session explains virtualization concepts and 
compares various virtualization technologies. It 
explores the issues and benefits of moving pro¬ 
duction systems into a virtual environment. 
Issues: storage considerations, networking con¬ 
figuration, and system compatibility. Benefits: 
Reduces the cost of rack space and power. 
Consolidation ratios commonly exceed ten virtual 


machines per physical server; Decreases labor 
costs by simplifying and automating IT opera¬ 
tions across disparate hardware, operating sys¬ 
tem, and software applications: Enables cost- 
effective application availability independent of 
hardware and operating systems: Enables contin¬ 
uous uptime and non-disruptive maintenance 
with live migration of entire running systems: 
Eliminates the need for repetitive software 
installation and configuration; Accelerates the 
application development and deployment lifecy¬ 
cles: Improves responsiveness with instant provi¬ 
sioning and dynamic optimization of application 
environments: and Allows legacy systems to co¬ 
exist with new environments. 

WVI207: VIRTUALIZING ACTIVE 

DIRECTORY 

RICK WATSON 

Windows Active Directory plays an important role 
in today's IT environment. In this session, learn 
how to successfully implement Windows Active 
Directory using virtualization. The session will 
demonstrate using VMware Virtual Infrastructure 
3, but the concepts and skills covered can be 
applied with other products. Topics covered: 
Guidelines for clock synchronization; Effective 
use of security roles; Placement of Elexible Single 
Master Operations (ESMO) roles and global cata¬ 
log servers; Backup techniques and disaster 
recovery options to minimize loss and downtime: 
Successfully transitioning from a physical to a 
virtualized infrastructure: and Managing network 
policies including DNS configurations. 

SESSIONS AND SPEAKERS 
ARE SUBJECT TO CHANGE. 

SEE WEB SITE FOR UPDATES 
AND ADDITIONAL SESSIONS. 
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MICROSOFT DAY • MONDAY, APRIL 28, 2008 • MICROSOFT DAY 


OFFICE 

SESSIONS PRESENTED BY MICR 
& CONFERENCE SESSIONS 


INTRODUCING THE OFFICE SECURITY GUIDE 
MICROSOFT 

In this session, learn about the new Office security guide to help you learn 
about securing the Office desktop. By attending this session, you'll get an 
overview of the guide itself, as well as helpful tips and techniques for improv¬ 
ing the security of each Office installation. Topics covered will include protec¬ 
tion of sensitive information, deployment configuration strategies, and more. 

MANAGING APPLICATION COMPATIBILITY WITH CONVERTER 

TECHNOLOGIES 

MICROSOFT 

In this session, learn how Converter Technologies can help simplify your 
deployment by helping understand and plan for application compatibility 
challenges for your deployment. We will also discuss the tools used to test 
legacy Office applications and documents for compatibility with next genera¬ 
tion Office System products. 


NEW TOOLS AND TECHNIQUES FOR DEPLOYING THE OFFICE 

2007 SYSTEM 

MICROSOFT 

The 2007 release of the Microsoft Office system offers several new tools to 
speed and simplify the client deployment process. In this session, you are intro¬ 
duced to the new Setup and Customization technologies (only one tool now 
instead of all those wizards!). This presentation offers a drill down of each tool, 
guidance for their use, and suggestions for making your deployment a success. 

OFFICE MIGRATION PLANNING MANAGER 
MICROSOFT 

Use the Office Migration Planning Manager to help assess your customer's doc¬ 
ument environment readiness for Office 2007. Topics include benefits and 
usage, scanning of documents with the provided file scanner, identifying possi¬ 
ble document conversion issues with the new Office 2007 XML formats, and 
finding documents with VBA projects and macros. We'll also cover the graphical 
Access 2007 front-end for doing SOL queries of the data collected. 


OFFICE CONNECTIONS CONFERENCE SESSIONS • APRIL 29 & 30, 2008 


WSH203: CREATING COST-EFFECTIVE 
PARTNER SITES IN WSS 

JEFF WEBB 

How to set up an Internet-facing site for collabo¬ 
rating with external partners using WSS. This ses¬ 
sion covers how to isolate and secure the server 
and set up forms-based authentication in a way 
that allows external users to manage their own 
passwords, receive e-mail alerts, and participate in 
workflows. It covers the hardware, licensing, and 
customization needs for partner sites with a focus 
on security and minimizing costs. 

WEX201: MOSS 2007/EXCHANGE 2007 
MANAGED FOLDERS 

MELISSA FRASER 

The compliancy features of Microsoft Office 
SharePoint Server 2007 are very compelling. With 
the use of MOSS 2007 and Exchange 2007 togeth¬ 
er, these compliancy features may be extended 
beyond traditional document libraries. E-mail 
messages stored on servers can also be included. 
In this session, we will discuss the ins and outs 
of including Exchange 2007 e-mail messages as 
part of records management. Session topics 
include: Planning e-mail retention policies: 
Configuring managed folders; Configuring infor¬ 
mation management policies on folders, and 
Implementing journaling. 

WSH201: SAY G'BYE TO FILE SHARES: 

21ST CENTURY COLLABORATION WITH 
WSS DOCUMENT LIBRARIES 
DAN HOLME 

It's time to start moving your shared folders to 
SharePoint. Why? Because the features that we've 
all been missing-including document metadata, 
checkout, version control, and content approval- 
are now achievable using Windows SharePoint 
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Services document libraries. Learn how to move 
forward into a new era of document management 
in this practical application of SharePoint. 

WSH202: SHAREPOINT, BUSINESS, AND 
END-USER PRODUCTIVITY: OFFICE 2007 
APPS AS SHAREPOINT CLIENTS 

DAN HOLME 

While SharePoint offers great functionality 
through its out-of-the-box Web interface, you real¬ 
ly "kick it up a notch" when you add Microsoft 
Office 2007 applications to the mix. This session, 
appropriate for IT professionals, end users, and 
managers, will highlight some of the exciting ways 
you can integrate Office apps and SharePoint, 
including document libraries. Excel and Access 
integration, slide libraries, and taking files offline 
with Outlook. You'll also learn what to expect from 
different versions of Microsoft Office clients and of 
SharePoint. And you'll discover tricks and traps 
related to configuring SharePoint, even with 
forms-based authentication, for client integration. 

WSH204: TROUBLESHOOTING 
SHAREPOINT: WHEN GOOD SERVERS 
GO BAD 

JEFF WEBB 

How to detect, isolate, debug, and fix problems 
when they occur. This session walks through com¬ 
mon issues and shows you how to run down the 
problem through the logging services that 
Windows, SharePoint, SQL, and IIS provide. It also 
covers how to fix the most common client-side 
and server-side issues and points you to resources 
to help resolve the obscure ones. 


WSH205: WSS 3.0 COMMON 
ADMINISTRATION AND CONFIGURATION 

MELISSA FRASER 

Microsoft Windows SharePoint Services 3.0 has 
many new features and enhancements that can 
help IT professionals deploy and maintain Windows 
SharePoint Services solutions. Together, these new 
features and enhancements provide IT organiza¬ 
tions with better control over the WSS solution 
and help reduce administrative overhead by allow¬ 
ing IT administrators to work more efficiently and 
effectively. In this session, we will discuss the con¬ 
figuration and management of WSS servers and 
WSS sites. Specifically we will cover: Central 
administration for operations: Central administra¬ 
tion for applications: Site collection management; 
and Site structure and feature management. 


Master the administration 
of Windows SharePoint 
Services! 
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WORKSHOPS 

PRE-CONFERENCE 



Pre- and Post-conference Sessions Boost 
Your Expertise! 

Pre-conference Workshops: 

Saturday, April 26, 2008 
Sunday, April 27, 2008 

Post-conference Workshops: 

Thursday, May 1, 2008 

Windows Connections, Office Connections and Exchange 
Connections offers additional, optional pre- and post¬ 
conference half-day sessions. Extend your educational 
experience and gain additional expertise, including fun¬ 
damentals that make the main-track sessions more rele¬ 
vant and comprehensible for newcomers. 

Pre- and post-conference session selections are 
available when you register. 

PRE-CONFERENCE DAY 1 • APRIL 26, 2008 


9AM - 4PM • PRE-CONFERENCE WORKSHOP • EXCHANGE TRACK 

SAY WHAT? VOICE TECHNOLOGIES FOR IT PROFESSIONALS 
(BRING YOUR OWN LAPTOP) 

VALENTINE BOIARKINE, MVP 
THOMAS FOREMAN, MVP 

Is SIP something you do to coffee? Do you think PBX is an extreme sport? 
Do hunt groups make you run for cover? This session is for IT profession¬ 
als who need to know more about voice technologies that work with 
Microsoft's Unified Communications products. Microsoft has entered the 
voice domain with Exchange Server 2007 Unified Messaging and Office 
Communications Server. As IT professionals, we need to know how to 
integrate these powerful products with existing voice technologies. This 
session will discuss voice technologies and how they integrate with UC 
products. You will perform a series of OCS labs developed by Wadeware® 
on your laptop. NOTE: The laptop you bring MUST have at least 2GB of 
memory, 15GB free disk space, DVD drive, and a headset with microphone. 

9AM - 4PM • PRE-CONFERENCE WORKSHOP • EXCHANGE TRACK 

U-FIX-IT: TROUBLESHOOTING EXCHANGE SERVER 2007 
(BRING YOUR OWN LAPTOP) 

PETER O'DOWD, MVP 

This intensive one-day troubleshooting workshop is essential for IT and 
Exchange administrators who want hands-on experience troubleshoot¬ 
ing databases, message flow, and performance in a lab environment. 
Exchange expert and MVP Peter O'Dowd will walk you through the 
process of identifying and solving problems using a wide-range of tools 
and techniques. On your laptop, you'll perform virtual hands-on labs 
developed by Wadeware® that simulate problems, and then walk through 
the process of troubleshooting and solving them. Attend this full-day 
workshop to better understand Exchange database architecture and 
gain knowledge necessary to recover and support your Exchange Server 
2007 system. NOTE: The laptop you bring MUST have at least 2GB of 
memory, 15GB free disk space, and DVD drive. 


PRE-CONFERENCE DAY 2 • APRIL 27, 2008 


9AM - 4PM • PRE-CONFERENCE WORKSHOP • EXCHANGE TRACK 

WALK IN THE PARK: OFFICE COMMUNICATIONS SERVER HANDS 
ON LABS (BRING YOUR OWN LAPTOP 

VALENTINE BOIARKINE, MVP 
THOMAS FOREMAN, MVP 

Come take a six-hour guided tour of Office Communications Server (OCS) 
and see for yourself the latest Microsoft Unified Communications product. 
Much, much more than Instant Messaging, Office Communications Server 
provides text, web conferencing, and Voice over IP solutions that allow you 
to change the way your organization communicates. We'll install and config¬ 
ure OCS and show how web conferencing integrates with Microsoft Office. 
We'll show you how to configure and use Communicator Web Access, and 
how to configure Voice so that incoming calls are directed to Office 
Communicator clients (and eventually Exchange Unified Messaging if you're 
not there to answer). In this information-packed day, you'll use your laptop 
to walk through several hands-on labs developed by Wadeware® with OCS 
experts, MVP Thomas Foreman, and MVP Valentine Boiarkine. NOTE: The lap¬ 
top you bring MUST have at least 2 gig of memory, 15GB free disk space, DVD 
drive, and a headset with microphone. 

9AM - 4PM • PRE-CONFERENCE WORKSHOP • EXCHANGE TRACK 

WALK IN THE PARK: MICROSOFT EXCHANGE 2007 HANDS-ON 
LABS (BRING YOUR OWN LAPTOP) 

PETER O'DOWD, MVP 

Come take a six-hour guided tour of Exchange Server 2007 and see for 
yourself the next evolution of the world's most powerful messaging system. 
Experience the new Management Console, the five new server roles, e-mail 
policy enforcement and compliance, powerful new scripting tools, new 
architecture, new high availability and disaster recovery features, new mail¬ 
box features, and methods for migrating from earlier versions of Exchange. 
In this information-packed day with Exchange expert and MVP Peter 
O'Dowd, you'll get hands-on experience with Exchange Server 2007 using 
your laptop to walk through several labs developed by Wadeware®. NOTE: 
The laptop you bring MUST have at least 2GB of memory, 15GB free disk 
space, and DVD drive. 

9AM - 12PM • PRE-CONFERENCE WORKSHOP • OFFICE TRACK 

SHAREPOINT GOVERNANCE: GATHER YOUR REINS BEFORE 
JUMPING INTO THE SADDLE 
WENDY HENRY 

Don't lose control of SharePoint right out of the starting gate! Before 
unleashing the allure of SharePoint on your unsuspecting users, make sure 
you have standards in mind to control content growth, authorize access, and 
dictate site structure. My mother always said "an ounce of prevention is 
worth a pound of cure" and nothing stings as bad as a well-planned 
SharePoint design gone horribly wrong due to lack of diligence. Attend this 
pre-conference session to learn what you need to know BEFORE learning what 
you need to know about SharePoint. Orchestrate change control so that your 
company gets the most out if its SharePoint investment, in the beginning and 
into the future! 

SESSIONS AND SPEAKERS ARE SUBJECT TO CHANGE. 

SEE WEB SITE FOR UPDATES AND ADDITIONAL SESSIONS. 
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1PM - 4PM • PRE-CONFERENCE WORKSHOP • OFFICE TRACK 

SUPPORTING SHAREPOINT DATABASES: THE DBA'S GUIDE 

WENDY HENRY 

The best laid plans of SharePoint admins can disintegrate in an instant...don't 
let this happen to you! Whether you're the DBA or the person who wants to 
communicate better with the DBA, learn how to protect your SharePoint con¬ 
figuration and content by protecting the many databases that support your 
SharePoint environment. From backing up to maintaining data source data¬ 
bases, the SharePoint Administrator's job doesn't end when SharePoint 
Central Administration closes. Attend this post-conference session to learn 
skills for maintaining SQL Server databases that house not only your 
SharePoint content but Business Data, Reporting Services, and Search 
Indexes as well. It's SharePoint...from the SQL Server point of view! 

9AM - 4PM • PRE-CONFERENCE WORKSHOP • POWERSHELL TRACK 

WINDOWS POWERSHELL JUMP START 
JEFFERY HICKS 

You know PowerShell will be a part of your future, so what are you waiting 
for? This HANDS-ON workshop will give you a jump start on the road to 
PowerShell. You will learn PowerShell fundamentals, such as navigating the 
shell, working with key cmdiets, securing your PowerShell environment, writ¬ 
ing functions and filters, PowerShell scripting basics, managing the registry, 
using WMI and ADSI in PowerShell, and much more. Bring your laptop pre- 
loaded with PowerShell 1.0 and virtualization software that will allow you to 
run a Windows 2003 or later domain controller. This session will focus on 
PowerShell 1.0, which is the only version approved for production use. By the 
end of the day you'll be able to write powerful one-liners that will amaze your 
peers, dazzle your boss, and accomplish a ton of work with minimal effort. 

9AM - 12PM • PRE-CONFERENCE WORKSHOP • VIRTUALIZATION TRACK 

VIRTUALIZATION: A JUMP START 

ALAN SUGANO 

Virtualization is one of the hot topics this year. With significant increases in 
performance of the current generation of server hardware with guad-core 
processors, high memory capacity, and Serial Attached SCSI (SAS) drives, 
much of the processing power on a server goes unused. Virtualization allows 
you to take advantage of this processing power by running several virtualized 
servers on one physical host. If you're considering virtualization and are new 
to this technology, this workshop will get you up to speed. You'll learn about 
the following topics: 

■ Virtualization hardware: server processors, memory, and hard drive con¬ 
figurations; optimization of the hardware and the virtual environment for 
the best virtual guest performance: and running the x64 platform for vir¬ 
tual hosts and guests. 

■ Virtualization software (Virtual Server 2005, VMware Server, ESX Server). 

■ Backup strategies of virtual servers. 

■ Virtualization and high availability. Learn about the high availability solu¬ 
tions from Microsoft and VMware in the virtual server environment. 

■ Virtual guest limitations and how to determine if virtualization is a good 
fit for your application. 

1PM - 4PM • PRE-CONFERENCE WORKSHOP • VIRTUALIZATION TRACK 

VIRTUALIZING MICROSOFT SERVER APPLICATIONS 

ALAN SUGANO 

Virtualization is a great technology, but how does it fit in with Microsoft 
Server Applications? This workshop will focus on SQL Server, Exchange 2007, 

REGISTER TODAY ■ 800-505-1201 ■ 203-268-3204 


and WSS 3.0/MOSS 2007 in a virtual environment. Each server application has 
different needs in a virtual environment. For each server application we will 
examine the following issues: 

■ To Virtualize or not to Virtualize, this is the first question! 

■ 32- or 64-bit? 

■ Server configuration: Number of processors, type, memory, disk 
configuration, network cards, SAN type? 

■ What virtualization software should you use for your application? 

■ How do you configure guests for the best performance? 

■ How many users can you place on each virtual server? 

■ How many virtual guests can you place on a host? 

■ What are the High Availability Solutions for an environment? 

1PM -4PM • PRE-CONFERENCE WORKSHOP • WINDOWS TRACK 

GROUP POLICY ESSENTIALS: CONFIGURATION, CONTROL, 

AND SECURITY 

JEREMY MOSKOWITZ 

Group Policy is the most efficient way to manage desktops in a Windows envi¬ 
ronment. If you are still running to machines to install desktops, you are not 
taking full advantage of the power of Group Policy. In this practical workshop, 
Jeremy Moskowitz will help you gain control of your environment and get 
your life back. This is the perfect session to take before doing "deep dives" 
into the main sessions of the conference. You'll get a little bit of everything: 
deployment, configuration, control, and security! We'll warm up with some 
Group Policy basics. Then, you'll learn how to get your XP and Vista client 
machines up and running with some new set-up options. After your machines 
are up and running, Jeremy will show you how to manage your environment 
with templates, zap printers down to your computers, and remotely deploy 
software to your users' desktops. Finally, you'll learn how to use Group Policy 
to secure collections of machines. We'll examine how Group Policy can do the 
heavy lifting to the jobs you want to do! This session has both XP and Vista 
content. (Note: Expanded material on some sections can be seen in some of 
Jeremy's other talks.) 
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WORKSHOPS 

POST-CONFERENCE 



POST-CONFERENCE DAY • MAY 1, 2008 


9AM - 4PM • POST-CONFERENCE WORKSHOP • WINDOWS TRACK 

THE BDD AND BEYOND: MICROSOFT DEPLOYMENT 
FRAMEWORKS FOR REAL-WORLD SUCCESS 
DAN HOLME 

Join Windows Connections speaker chair and deployment guru Dan Holme for 
a deep dive into the revolutionary new tools and technologies used to deploy 
Windows Vista, XP, and Server 2008. Learn how to implement Microsoft 
Deployment (formerly known as the BDD) and real-world best practices for 
the design, deployment, and maintenance of Windows clients. Go way beyond 
what Microsoft tells you so that you can effectively support clients with 
applications, configuration, security patches, and service pack rollouts into 
the future. You will take away a deployment and systems management 
methodology that works and a solid understanding of its functionality so that 
you can further refine the methodology to apply to your enterprise. You'll 
learn how WinPE, WDS, and Microsoft Deployment work. You'll also get a one- 
of-a-kind set of tools and scripts to help you manage systems more effective¬ 
ly with or without SMS/SCCM. This is the best deployment training in the 
world, and it's only at Windows Connections. 

9AM - 4PM • POST-CONFERENCE WORKSHOP • EXCHANGE TRACK 

GET THE 411 ON MICROSOFT EXCHANGE UNIFIED MESSAGING 
(BRING YOUR OWN LAPTOP) 

PETER O'DOWD, MVP 

Microsoft Exchange Server 2007 Service Pack 1 extends your messaging sys¬ 
tem beyond digital data and into digital voice. This one day workshop will 
show you how your Exchange Server can become a unified communications 
system that accepts voice mail and provides users multiple ways to access it. 
Peter O'Dowd explain Unified Messaging as only Exchange and OCS MVP can, 
and then walk you through a series of hand-on labs that will demonstrate this 
powerful but little understood feature of Exchange Server 2007. NOTE: The 
laptop you bring MUST have at least 2GB of memory, 15GB free disk space, 

DVD drive, and a headset with microphone. 

9AM - 4PM • POST-CONFERENCE WORKSHOP • EXCHANGE TRACK 

HARDCORE OCS: COMPLETE UNIFIED COMMUNICATIONS TEST 
LAB DEVELOPMENT (BRING YOUR OWN TWO LAPTOPS) 

THOMAS FOREMAN, MVP 
VALENTINE BOIARKINE, MVP 

Not for the faint of heart, in this one-day workshop you will build a complete 
Unified Communications test lab that will reveal how OCS and Exchange with 
Unified Messaging will work in your environment. You will bring two laptops 
and build a lab that includes a SIP gateway, integrated with both OCS and 
Exchange, which lets you place a call inbound to an Office Communicator 
client and leave a voice message using Exchange Unified Communications. 
Take this configuration back to your own test lab to see how OCS and 
Exchange Server 2007 will function in your unique lab environment. NOTE: 

The laptops you bring MUST have at least 2GB of memory, 15GB free disk 
space, and DVD drive, NIC, and headset with microphone. 

9AM - 4PM • POST-CONFERENCE WORKSHOP • VIRTUALIZATION TRACK 

VIRTUALIZATION HANDS ON BOOT CAMP 

RICK WATSON 

Bring your laptop to this incredible one-day session. You will be equipped to 


quickly take advantage of the free virtualization capabilities of VMware Server 
and introduce concepts of VMware Virtual Infrastructure (ESX Server based) 
virtualization. The course will also help you avoid some of the most common 
mistakes made by those new to virtualization. You will learn to: install and 
configure VMware Server; install and configure virtual machines; configure a 
Windows 2003 host for remote administration via the Web interface; and 
understand VMware Virtual Infrastructure (ESX Server based) virtualization. 
Who Should Attend? System administrators, server operators, software develop¬ 
ers and testers, and anyone else exploring server virtualization for the first time. 
Prerequisites: System administration experience on Microsoft Windows servers. 
Requirements: A laptop with at least 1GB of RAM. More detailed requirements 
will be available in early 2008. 

Highlights: downloading VMware Server; installing VMware Server; installation 
considerations; creating a Virtual Machine (VM); choosing the right VM set¬ 
tings; virtual disk, networking, and administrative options; changing, 
adding, and removing virtual hardware; installing the guest OS and VMware 
Tools; Remote Management Options and Tools; configuring Windows 2003 IIS 
for remote access; and VMware Virtual Infrastructure (ESX Server based) 
virtualization. 

9AM - 12PM • POST-CONFERENCE WORKSHOP • OFFICE TRACK 

WSS 3.0 IMPLEMENTING CUSTOM WORKFLOWS 
MELISSA FRASER 

Long gone are the days of the interoffice envelope. A major feature of WSS 
3.0 is the ability to route content through a business process. These process¬ 
es are represented by using workflows. A workflow is a natural way to organ¬ 
ize and run a set of work units, or activities, to form an executable represen¬ 
tation of a work process. The workflow functionality in Windows SharePoint 
Services 3.0 is built on the Windows Workflow Foundation (WF), a Microsoft 
Windows platform component that provides a programming infrastructure 
and tools for development and execution of workflow-based applications. In 
this session, we will build a custom workflow end-to-end. We will discuss: 

■ Planning the workflow 

■ Creating the workflow steps 

■ Workflow testing 

■ Workflow deployment 

1PM - 4PM • POST-CONFERENCE WORKSHOP • OFFICE TRACK 

MONITORING AND OPTIMIZING SHAREPOINT INDEXES AND SEARCH 

WENDY HENRY 

How do you make sure your Microsoft Office SharePoint Server investment 
pay off? By making sure your knowledge workers use it! Be certain your 
users can find the relevant information they need by providing them the 
most effective Search environment to increase their productivity. Both begin¬ 
ners and experts alike will benefit from learning how to optimize index per¬ 
formance in order to improve Search result click-through statistics, how to 
use native Search reporting to determine workload thresholds in order to 
plan for additional indexing servers, and how to utilize the many Search Web 
Parts included with MOSS to enhance the user Search interface. Attend this 
pre-conference session for a look at SharePoint Search as you've never seen 
it before, from the index out! 


SESSIONS AND SPEAKERS ARE SUBJECT TO CHANGE. 

SEE WEB SITE FOR UPDATES AND ADDITIONAL SESSIONS. 
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EVENT 

INFORMATION 

HOTEL INFORMATION 


HOTEL ACCOMMODATIONS 

The Hyatt Regency Grand Cypress Resort, 
One Grand Cypress Blvd., Orlando, FL 
is the conference site and host hotel. 
SPACE IS LIMITED so reserve your room 
early by calling the conference hotline at 
800-505-1201. 

AIRLINE 

Please call Pericas Travel at 
203-562-6668 for airline reservations. 

CAR RENTAL 



Hertz is offering auto rental discounts to 
attendees. Call the Hertz Meeting Desk at 
800-654-2240 for reservations and refer 
to code CV# 010R0034 to receive your 
attendee discount. 


ORLANDO, FLORIDA 

EXTEND YOUR STAY 


AIRPORT SHUTTLE 

Mears Transportation is the designated 
ground carrier at Orlando International 
Airport. The shuttle may be picked up 
at Level 1 of the airport. The shuttle is 
available 24 hours a day. The rates to the 
Hyatt Regency Grand Cypress hotel are 
as follows: One-way is $18.00 and $30.00 
round-trip. You may call Mears directly at 
407-843-2404 for more information or go 
to their Web site: 
www.mearstransportation.com. 

Prices are subject to change. 


Come early or stay late. Bring the family! You are in the land of 
fantasy for children of all ages. Walt Disney World - Magic 
Kingdom® Park, Disney MGM Studios®, Epcot® and Disney's 
Animal Kingdom® Theme Park. In addition, explore Kennedy 
Space Center, Sea World, and Universal Studios Theme Park, or 
take a short drive to beautiful white sand Atlantic beaches. 

TAX DEDUCTION 

Your attendance to a DevConnections conference may be tax 
deductible. Visit www.irs.ustreas.gov. Look for topic 
513 - Educational Expenses. You may be able to deduct the 
conference fee if you undertake to (1) maintain or improve skills 
reguired in your present job; (2) fulfill an employment condition 
mandated by your employer to keep your salary, status, or job. 


ATTIRE 

The recommended dress for the 
conference is casual and comfortable. 
Please bring along a sweater or jacket, 
as the ballrooms can get cool with the 
hotel's air conditioning. 


SPONSORSHIP/EXHIBIT INFORMATION 

For sponsorship information, contact: 

Rod Dunlap 

phone: 480-917-3527 

e-mail: rod@devconnections.com 

See web site for more details. www.WinConnections.com 



GROUP DISCOUNT 

Register individuals from one 
company at the same time 
and receive a group discount. 

Call 800-505-1201 to take 
advantage of group discount pricing. 

NOTES & POLICIES: The Conference Producers reserve the right to cancel the conference by refunding the registration fee. 
Producers can substitute speakers and topics and cancel sessions without notice or obligation. Updates will be posted on 
our Web site at www.WinConnections.com. Tape recording, photography is not allowed at any session. Conference producers 
will be taking candid pictures of events and reserve the right to reproduce. By attending this conference you agree to this 
policy. You may transfer this registration to a colleague. Please inform us if you have any special needs or dietary restric¬ 
tions when you register. The conference registration includes a one-year print subscription to Windows IT Pro. Current 
subscribers will have an additional 12 issues added to their subscription. Subscriptions outside of the United States and 
Canada will be digital. $25 of the funds will be allocated toward a subscription to Windows IT Pro ($49.95 value). 
REGISTRATION & CANCELLATION POLICY: Registrations are not confirmed until payment is received. Cancellations before 
March 27,2008 must be received in writing and will be refunded minus a $100 processing fee. After March 27,2008 cancella¬ 
tions and no shows are liable for full registration, it can be transferred to the next Connections Conference within 12 months 
or to another person. Active Directory, Microsoft, MSDN, Outlook, Windows NT, Windows Server, Windows Vista, and Windows 
are either trademarks or registered trademarks of Microsoft Corporation. All other trademarks are property of their owners. 


1-3 registrants 

$1,495 per person 

Additional registrants 
after the 3rd 

(4th, 5th, 6th...) 

$1,295 per person 

($200 off each) 














CONFERENCE REGISTRATION • APRIL 27-30, 2008 


ONLINE 

www.WinConnections.conn 


FULL CONFERENCE REGISTRATION INCLUDES KEYNOTE ON APRIL 27, 6:30PM, 
THROUGH CLOSING SESSION APRIL 30, 4:30PM 


NAME 

PRIORITY CODE 

COMPANY 

TITLE 

STREET ADDRESS (REQUIRED TO SHIP MATERIALS) 


CITY, STATE, POSTAL CODE 

COUNTRY 


TELEPHONE FAX E-MAIL ADDRESS (IMPORTANT) 


E-MAIL 

infod^devconnections.com 

PHONE 

(800) 505-1201, (203) 268-3204 

FAX 

(203) 261-3884 

MAIL 

Microsoft Exchange Connections 2008 
Windows Connections 2008 
Office Connections 2008 
c/o Tech Conferences, Inc. 

731 Main Street, Suite C-3 
Monroe, CT 06468 


□ 


Microsoft Exchange Connections 


on or before March 11.$1395.00 

after March 11.$1495.00 


□ Windows Connections 


on or before March 11.$1395.00 

after March 11.$1495.00 


□ Office Connections 


on or before March 11.$1395.00 

after March 11.$1495.00 


PRE-CONFERENCE WORKSHOPS SATURDAY, APRIL 26, 2008 LUNCH IS INCLUDED WITH FULL DAY WORKSHOPS. 

□ 9:00AM - 4:00PM Say What? Voice Technologies for IT Professionals BOIARKINE S FOREMAN.$399 _ 

□ 9:00AM - 4:00PM U-Fix-lt: Troubleshooting Exchange Server 2007 O'DOWD.$399 _ 

PRE-CONFERENCE WORKSHOPS SUNDAY, APRIL 27, 2008 LUNCH IS INCLUDED WITH FULL DAY WORKSHOPS. 

□ 9:00AM - 4:00PM Walk in the Park: Office Communications Server BOIARKINE & FOREMAN.$399 _ 

□ 9:00AM - 4:00PM Walk in the Park: Microsoft Exchange 2007 O'DOWD .$399 _ 

□ 9:00AM - 4:00PM Windows PowerShellJump Start HICKS.$399 _ 

□ 9:00AM - 12:00PM Virtualization: A Jump Start SUGANO.$199 _ 

□ 9:00AM - 12:00PM SharePoint Governance: Gather Your Reins BEFORE Jumping ... HENRY.$199 _ 

□ 1:00PM - 4:00PM Virtualizing Microsoft Server Applications SUGANO.$199 _ 

□ 1:00PM - 4:00PM Group Policy Essentials: Configuration, Control, and Security MOSKOWITZ.$199 _ 

□ 1:00PM - 4:00PM Supporting SharePoint Databases: The DBA's Guide HENRY.$199 _ 

POST-CONFERENCE WORKSHOPS THURSDAY MAY 1, 2008 LUNCH IS INCLUDED WITH FULL DAY WORKSHOPS. 

□ 9:00AM - 4:00PM The BDD and Beyond: Microsoft Deployment Frameworks ... HOLME.$399 _ 

□ 9:00AM - 12:00PM WSS 3.0 Implementing Custom Workflows FRASER.$199 _ 

□ 1:00PM - 4:00PM Monitoring and Optimizing SharePoint Indexes and Search HENRY.$199 _ 

□ 9:00AM - 4:00PM Get the 411 on Microsoft Exchange Unified Messaging O'DOWD .$399 _ 

□ 9:00AM - 4:00PM Hardcore OCS: Complete Unified Communications Test Lab ... FOREMAN & BOIARKINE.$999 _ 

□ 9:00AM - 4:00PM Virtualization Hands On Boot Camp WATSON.$399 _ 

CONFERENCE MATERIALS Full conference registration includes materials for the one conference for which you register. 
You may purchase materials for the other concurrently run events. 

□ Microsoft Exchange Connections Proceedings CD .$75_ 

□ Windows Connections Proceedings CD .$75_ 

□ Office Connections Proceedings CD .$75_ 


PAYMENT TOTAL 


♦IMPORTANT: You must reference Microsoft Exchange Connections, Windows Connections, or Office Connections on your check. 

□ CHECK (payable to Tech Conferences) All payments must be in US Currency. Checks must be drawn on a US bank. 
□ VISA □ MASTERCARD □ AMEX 

CREDIT CARD NO. EXPIRATION DATE 


Cardholder's Signature 


Cardholder's Name (print) 
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Manage Your EFS Keys with Cipher 

Examine and decrypt anything encrypted by anyone 


E ncrypting File System (EFS) lets you encrypt impor¬ 
tant files so that life is tough for the folks trying to steal 
sensitive data. However, like any encryption system, 
EFS isn't all wine and roses: If you lose your encryption keys, 
not only will the bad guys be unable to read your data, you 
won't be able to read it, either. Key management and recovery 
is therefore extremely important to any EFS user, and EFS's 
command-line tool Cipher (cipherexe) can help. 

Back Up Your EFS Key 

The first time that you use EFS to encrypt something, your 
system generates a random 256-bit number; that's the key 
that EFS uses whenever you encrypt something. To back up 
your EFS key, simply use the Cipher /x command. Cipher 
will reply with a message asking if you truly want to back 
up your EFS key—sadly, 1 haven't found a way to suppress 
this message. Press OK. The tool will then prompt you for 
the name of the file in which to store the backup. Don't 
specify a file extension; Cipher insists on the .pfx exten¬ 
sion. For example, if you picked a file named mybackup, 
you now have a small file called mybackup.pfx. Next, the 
tool will prompt you to create a password with which to 
protect that file. 

Once you've got that file created, copy it from your 
computer's hard disk to some offline location (e.g., a USB 
stick, a CD-ROM) and make a note of the password you've 
chosen. Now, in the event of unfortunate circumstances— 
for example, you lose your profile, you forget your password 
and a systems administrator has to reset it, the system's OS 
fails and you need to recover files directly from the now- 
dead system's hard disk—you can simply restore your EFS 
key by double-clicking the .pfx file and running the resulting 
wizard. As soon as the wizard is finished, you'll be able to 
get to your files again. 

Make Yourself a Recovery Agent 

But what if you're the administrator of this system, and you 
have to think of your users? You might not trust your users 
to back up their EFS keys, and you'd hate to see the look on 
their faces when they lose their keys and you're forced to say, 
"1 can't help you." To avoid that, make yourself a recovery agent 
for the standalone (non-domain-joined) system. (A recovery 
agent can decrypt files even if he or she didn't create them.) 
And this is important: Do so before people start encrypting 
files. In my experience, a recovery agent can decrypt any 
files created after he or she became a recovery agent—not 
before. You can make any user—administrator or not—into a 


recovery agent, but for this example I'll assume you're mak¬ 
ing yourself the recovery agent. The following process works 
equally well for AAfindows Vista, Windows Server 2003, and 
AAfindows XR 

First, execute the Cipher /r:recoveryguy command, 
which creates two certificate files: recoveryguy.cer and recov- 
eryguy.pfx. Cipher will prompt you to create a password for 
the .pfx file, which contains a private key and needs some 
protection. Anyone can run this command because all it does 
is create this pair of certificates. In essence, a user running this 
command creates a self-identifying ID card (i.e., the .pfx file) 
and an assurance of trustworthiness to EFS that the user can 
decrypt any and all files on this system (i.e., the .cer file). None 
of that's worth a dam unless an administratorhands this “let¬ 
ter of introduction" to EFS. 

In the second step, the soon-to-be data recovery agent 
(that's you) needs to associate himself or herself with the 
newly created .pfx file. Double-click the recoveryguy.pfx 
file to start the Certificate Import Wizard. After clicking Next 
twice, the wizard will ask you for the password to the private 
key on the certificate. Fill in the password you told Cipher /r 
to use. Also, select the Mark this key as exportable check box 
(so that you can back up the certificate if necessary), and 
click Next. Click Next to let the wizard store the certificate, 
and click Finish. 

Finally, in the third step, you'll give that letter of introduc¬ 
tion to the OS. Ensure that you're logged on with an admin¬ 
istrative account, and start up the local Group Policy Editor 
(GPE). Navigate to Local Computer Policy, Windows Settings, 
Security Settings, Public Key Policies, Encrypting File System. 
Right-click the Encrypting File System folder, and choose Add 
Data Recovery Agent. Doing so starts another wizard. Click 
Next to get to the Select Recovery Agents page. Click Browse 
Folders, and navigate to recoveryguy.cer. After you choose 
that file and click Yes, you'll see that Windows has accepted 
the certificate, but that it has the name USER_UNKNOWN. 
Don't worry: That's normal. Click Next, then Finish. 

Freely Decrypt 

From this point forward, you can examine and decrypt 
anything encrypted by anyone on this system. Remember, 
if you're the only user of a standalone (non-domain-joined) 
system, you just need to back up your EFS key. But if you're 
the administrator of a system that more than one person 
uses, you need to do a bit more clicking and make yourself 
a data recovery agent. Or you can simply join those systems 
to a domain, and the work is already done for you! 

InstantDoc ID 97735 
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Features of Google Apps 

The price is right, and Google’s calendar, email, document handling, and other features are 
ready to take on Microsoft Office 


I f you've been using Google only as a search engine, 
you might be surprised by some of the features it's 
now offering. Google Apps, an emerging competitor to 
Microsoft Office, has definitely grabbed Microsoft's atten¬ 
tion. In fact, Microsoft's move to Windows Live and its new 
Software Plus Services strategy are certainly motivated by 
Google's recent moves. Google's Web-based suite offers a 
free, limited-feature Standard Edition as well as the full- 
featured Premier Edition for $50 per user per year. Here are 
the most important features of Google Apps. 


M Internet domain integration—Google 
Apps Standard Edition is free if you already 
own an Internet domain name. You simply 
verify that you're the owner, and you can 
integrate Google Apps with your domain. If you don't own 
a domain name, Google offers domain registration for $10 
per year. 


9 Single sign-on and directory integration— 

Google Apps makes use of Security Assertion 
Markup Language (SAML) to permit single sign- 
on (SSO) capabilities with a variety of differ¬ 
ent LDAP-compatible authentication services. For more 
information about Google Apps' SSO capabilities, refer 
to code.google.com/apis/apps/sso/saml_reference_ 
implementation.html. _ 

8 Start Page—The Google Apps Start Page is the 
user's entry point into Google Apps. The Start 
Page can be customized to provide your organi¬ 
zation's logo and content. In addition, you can 
add many different custom features using add-ons called 
Google Gadgets. 


5 Page Creator—To help you build and customize 
your site, Google Apps provides Page Creator, a 
Web-based graphical Web page designer with 
single-click Web page publishing. Page Creator 
Web pages are compatible with both Microsoft Internet 
Explorer and Mozilla Firefox. 


4 Gmail—One of the stalwart applications in the 
Google Apps suite is Gmail. Google Apps Premier 
Edition allows 25GB of storage for each Gmail 
account, and Google Apps provides tools for 
email routing and migration. Google has recently added 
Postini for security and message recovery. Gmail supports 
POPS and MAPI connectivity. 


3 Google Talk—Google's IM component, Google 
Talk, is integrated with Gmail, letting you initiate 
chat sessions from email messages. Google Talk is 
designed primarily for use with other Google Talk 
clients, but it's built using the open Extensible Messaging and 
Presence Protocol (XMPP), which lets it interoperate with 
other IM clients. Google Talk also features file transfer, con¬ 
versation logging, and voice communications using VoIP. 


2 Google C 2 dendar—Another staple in the Google 
Apps suite is Google Calendar. Based on Asyn¬ 
chronous JavaScript and XML (Ajax), Google 
Calendar offers a rich end-user experience, letting 
you make appointments and schedule meetings and noti¬ 
fications. Unlike Microsoft Office Outlook with Microsoft 
Exchange Server, Google Calendar can publish public cal¬ 
endars. Google Calendar also provides cool Short Message 
Service (SMS) scheduling and notifications that can send 
text messages to mobile devices. 



Michael Otey 

(mikeo@windowsitpro 
.com) is technical direc tor 
for Windows IT Pro and 
SQL Server Magazine and 
coauthor of SQL Server 
2QQ5 Developer’s Guide 
(Osborne/McGraw-Hill). 


7 Google Gadgets—A few of the available Google 
Gadgets include a search function, an MP3 player, 
a live TV feed, a custom RSS reader, and even the 
Bejeweled and PacMan games. You can create 
your own Google Gadgets with the Google API. You'll find 
the list of available Google Gadgets atwww.google.com/ig/ 
directory?synd=open. 


6 Control panel—You manage Google Apps with 
a Web-based control panel, which lets you set up 
and manage user accounts, configure user sharing 
permissions, and migrate your existing email to 
Gmail. You can also brand your site with your own logos 
and color schemes. 






Google Docs—As the keystone of 
Google Apps, Google Docs facili¬ 
tates real-time document sharing and 
collaboration. Multiple, geographi¬ 
cally disparate users can share and 
even simultaneously edit documents. 
Google Docs has long provided word 
processing and spreadsheet functionality, working 
with .doc, .rtf, .xls, and .csvfile formats. Google recently 
added the ability to use the .ppt document format as 
well, so you can now collaborate on and share presen¬ 
tations with Google Docs. ^ 
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companion sites listed in the header and footer menus. 
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These are yeur kind ef people. 
Introduce yourself at... 










Jeff James _ (jjames@windowsitpro.com) 

is senior editor, products, for Windows IT Pro and SQL Server Magazine. 

Readers Review 


At a Glance 

VMware Infrastructure 3.69 

LucidS DigiScope l.l.75 _ 

Diskeeper 2008 . 77 _ 



Consolidate Workloads with Server 
Virtualization 

VMware Infrastructure 3 


Reader: 

Michael Cisek 
Director, Emerging 
Infrastructure & 
Operations Support 

Preduct: 

VMware 
Infrastructure 3 

Company: 

VMware 

Contact: 

www.vmware.com 


O ur organization had several 
IT needs that couldn't easily 
be addressed with our cur¬ 
rent budget and infrastructure, so we 
began looking at VMware virtualiza¬ 
tion products a few years ago. VMware 
Workstation was introduced into our 
environment by our systems team first, 
and that was quickly followed up with a 
GSX server evaluation. All of that led up 
to our current IT infrastructure, which is 
now based on the VMware Infrastruc¬ 
ture 3 (VIS) platform. 

We had several needs that VIS seemed to be the solution for: the 
need for customized development environments; new product roll¬ 
outs that consisted of small numbers of low-utilization servers; ways 
to address our data center capacity, cooling and power concerns; and 
the need to significantly reduce costs associated with upcoming server 
replacements. Getting VIS up and running was a relatively painless pro¬ 
cess: our internal system engineers were able to put our first two-node 
ESX cluster into production in a matter of days. 

Since we began using VIS, weVe been able to realize a number of 
specific benefits. We Ve been able to reduce our server pool using server 
consolidation, often at a fifteen to one ratio. Our server deployment 
time went from days or weeks to minutes and hours, thus reducing 
the overall development cycle of new products and application. WeVe 


also experienced zero cost hardware replacements—when equipment 
begins to fails we perform physical to virtual server conversions. WeVe 
also used VIS to take snapshots of mission critical servers to enable 
recovery from failures, and we're also in the process of converting to a 
virtual QA Infrastructure. Our goal is to have one-to-one representation 
of all mission critical applications for QA and testing. Finally, our devel¬ 
opers and application used to maintain multiple physical workstations: 
one for production, one for development, and one for QA. We've been 
able to consolidate all three of those functions onto one physical PC 
using VMware Workstation. 

We've had relatively few issues with VMware during our first 18 
months of use. I attribute this to the fact that we opted to wait for the 
VIS release as opposed to deploying 2.5x. All of our VMware products 
are purchased through HP, and we've found HP's virtualization support 
to be excellent. 

There are some things I would like to see VMware improve upon, 
ranging from improvements to the physical to virtual (and potentially 
virtual to physical) conversion processes. I'd like to see more VIS inte¬ 
gration with other enterprise products, and Storage V Motion [in ESX 
S.5] would be a nice addition. I'd also like to see VMware reduce their 
licensing costs. All that said, we've realized substantial costs savings by 
switching to VMware VIS. 


What’s Hot continues on page 75 
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Wanted: Your Real-World Experiences with Products 

Have you discovered a great product that saves you time and money? Do you use something you wouldn’t wish 
on anyone? Tell the world in a review right here in What’s Hot: Readers Review Hot Products. If we publish your 
opinion, we’ll send you a Best Buy gift card! Send information about a product you use and whether it helps you or 
hinders you to whatshot@windowsitpro.com. 
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Celebrating ... 



As the world's #1 web host by known servers, we have spent the past 20 years providing 
cutting edge services and products to millions of users worldwide. We're giving you a 
chance to start the year successfully by offering discounts on all of our products. Sign up 
now to take advantage of our special offer and see what a 1&1 website can do for you: 
www.1and1.com 


20 Reasons to use 1&1 ... 


Top value 

Grow your 

Share 

All-inclusive 

Enhanced 

Showcase 

Microsoft® 

State-of- 

90 day 

Suitable 

with 

business 

photos 

packages 

customer 

your 

Gold 

the-art 

Money Back 

for any 

market 

with free 

or create 

with up to 

communica¬ 

hobbies & 

Certified 

Data 

Guarantee: 

level of 

leading 

prices 

1&1 Marke¬ 
ting tools 

a family 
page 

5 free 
domains 

tion tools 

interests 
on a web 
page 

partner 

Center 

Details 

online 

user 



Powerful, 
feature-rich 
servers at 
attractive 


Seamlessly 
upgrade your 
package to fit 
your growing 
business 


One-Stop- 
Shop for 
domains and 


Earn money 
with 1&1's 
Affiliate 


your own 
business 


for the first 
3 months! 


Free private 

Use our 

domain 

templates to 

registration 

easily create 

for domains 

an appealing 


website 
















Online success starts with a 



Using the web is a great way to attract new customers and 
remind existing customers about your business. Whether 
you're starting a new business or you've been in business for 
years, a 1&1 website will help you build a professional image. 
Find out more about our easy to use 1&1 WebsiteBuilder at 
www.1and1.com! 

















website 




Go Daddy 



BUSINESS 

STANDARD 

PREMIUM 

Included Domains 

3 

1 

$1.99/year with purchase 

Web Space 

250 GB 

10GB 

200 GB 

Monthly Transfer Volume 

2,500 GB 

400 GB 

2,000 GB 

E-mail Accounts 

2,500 IMAP or POP3 

500 POP3 

2,000 POPS 

Mailbox Size 

2 GB 

Unlimited 

10MB 

Search Engine Submission 

/ 

/ 

Extra charge applies 

Website Builder 

18 Pages 

/ 

Freeware 

Flash Site Builder 

18 Pages 

— 

— 

Photo Gallery 

/ 

/ 

/ 

RSS Feed Creator 

/ 

— 

$4.99/month 

Ad-free Blog 

/ 

/ 

Freeware 

Map & Driving Directions 

/ 

/ 

— 

Dynamic Web Content 

/ 

/ 

— 

Web Statistics 

/ 

/ 

/ 

E-mail Newsletter Tool 

/ 

$10/month 

$3.99/month 

In2site Live Dialogue 

/ 

— 

— 

Chat Channels 

/ 

— 

/ 

Form Builder 

/ 

/ 

— 

1&1 Marketing Center 

/ 

— 

— 

Premium Software Suite 

/ 

— 

— 

90-Day Money Back 
Guarantee 

/ 

- 

- 

Support 

24/7 Toll-free Phone, E-mail 

24/7 Toll-free Phone, 
E-mail 

24/7 Phone, E-mail 

Price Per Month 

5ir.oo 

for the first 

3 months, after 
this only $9.99 

$^Q.9S 

$<12.49 


50% 

OFF! 

for 3 months* 



©2008 1&1 Internet, Inc. All rights reserved. 

*Promotional 50% discount applies to first 3 months of a 12 month contract, after which regular prices will apply. Prices based on comparable Linux web hosting package prices, effective 01/02/2008. Monthly 
rates shown include discount for annual contract. Product and program specifications, availability, and pricing subject to change without notice. All other trademarks are the property of their respective owners. 





























































THING! 


per 

month 


©2008 1&1 Internet, Inc. All rights reserved. Visit 1and1.com for details. 

Product and program specifications, availability, and pricing subject to change without notice. 

*Promotional 50% discount applies to first 3 months of a 12 month contract, after which regular prices will apply. 
**Price calculated for the full year includes 50% off for the first 3 months. 

All other trademarks are the property of their respective owners. 


Offer ends 2/29/2008 


WEB HOSTING 


DOMAINS 




.00 


per 

From month 


SERVERS 


H9 


.50 


MICROSOFT SHAREPOINT™) 


1&1 MAIL 






.00 


.50 


per 


per 

From month 


From 


month* 


united 

internet 


1and1.com 


1.877.go1and1 


visit US now 


















What’s Hot 


Exchange e-Discovery and Email Recovery 


LucidS DigiScope l.l 


Reader: 

Raul Ramos 
Director, Informa¬ 
tion Systems 

Product: 

LucidS DigiScope l.l 

Company: 

LucidS 

Contact: 

www.lucidS.com 


I n our IT environment, users wanted 
to have the ability to restore the 
contents of a single folder or e-mail 
within Microsoft Exchange. Another 
requested feature was an ability to 
examine the contents of a specific mail 
folder without requiring the user to log 
on to the network as a specific user. I 
started doing some research on possible 
solutions, and I came across DigiScope 
from LucidS. I visit the LucidS Web site 
fairly often, since Tm also currently using LucidS's DigiVault and Go 
Exchange products. 

Installation was straightforward: I had DigiScope up and running in 
less than an hour, and I didn't need to reboot or take Exchange off-line 
to complete the installation. When I did need support during the install 
process, LucidS was very efficient at resolving technical issues quickly. 
Using WebEx [remote] access, they can log into your system and walk 
you through the setup process while sharing the desktop. I found the 
support staff to be very friendly and knowledgeable. 

LucidS tech support has been good, but the online help manual for 
DigiScope is very basic: I believe it could have included more extensive 
and detailed information about how the product functions. I think most 
of the users of DigiScope are fairly tech savvy, so more information 
would have been welcome. 

Some of my favorite DigiScope features include a user-friendly, 
Windows Explorer-like GUI; the ability to export emails and folders to 
multiple formats (i.e., .PST, .MSG, and .XML); and performance adjust¬ 
ment tools that allows you to set the level of CPU / computer resources. 
I also like how well DigiScope seamlessly integrated with Exchange and 
Active Directory. 

On the first day I used DigiScope, it saved me several hours of time 
by helping me restore some deleted mail folders. Tve previously used 
external consultants to help me with very complex Exchange issues. 


"(Ve previously used external consultants to 
help me with very complex Exchange issues, 
such as restoring databases. With DigiScope, 
those calls are now a thin^ of the past— and 
so is the extra cost in maintenance.” 

—'Raul Ramos, director; information systems 

such as restoring databases. With DigiScope, those calls are now a thing 
of the past— and so is the extra cost in maintenance. 

After using the software over the past 11 months, Td be happy to rec¬ 
ommend LucidS to other IT pros—especially if you're using Exchange 
and want to save on maintenance costs. Companies that rely on outside 
support and consultants for their Exchange upkeep can save a lot of 
money by using DigiScope. In my experience, using DigiScope has paid 
for itself by eliminating our need for external Exchange help. 


What’s Hot continues on page 77 
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Automation & Management Software 
for Exchange, AD, Mobility, & Migration 




Provisioning Automation 
Self-service Password Reset 
One-click Migration 
Delegated Administration 
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ensim* 


GET.ENSIM.COM 

1 -888-248-4003 
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AdminScriptEditor 


The old way 

== MENU == 

Dd vbu like vour 

fl> Ves 
B> No 

Y 





File Optians Help 


This is a senpt? 

O Yes 
QNd 

Answer 


1^ M . Yes 

I > 


Quickly cr-eete forms like this in PowerShell, VBScrrpt or KiXtart 


PosifiMe 


a-l_ 

'ifes 

Definitely 
[ Yeah! 

^ Negaftive 


Ansvreis Morel 


O Yes 
Very Yes 


Find out Just how easy it can be with 
the Admin Script Editor's new 

ScriptForm Designer 

www.AdmmScriptEditor.com 

www.ScriptFormDesigner.com 

Admin Script Editor (ASE) continues to look great by providing a 
best-of-breed scripting environment, but now ASE makes you look great 
by offering the incredibly powerful ScriptForm Designer. No more need to 
document arcane command line parameters. Now your scripts can func¬ 
tion as a typical application does. Take it to a new level and make your 
scripting language your development language with Admin Script Editor. 
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What’s Hot 


Defragment and Optimize Hard Disks 

Diskeeper 2008 


I work for a PBS television station 
with millions of viewers throughout 
the United States and Canada. Our 
workflow relies upon working computer 
equipment. We don't use hammers, 
drills or ovens to fulfill our business 
objectives—we use computers, which 
are prone to having their hard drives 
getting defragmented over time, which 
contributes to poor system performance. 

You wouldn't use dull knives or blades if 
you were a butcher, or a broken hammer if you were roofer, or even a dull 
pencil if you were an architect. Why would we use less than fully functional 
computers? The built-in defragmentation utility in Windows didn't fill my 
needs at all, so we became a true multi- user corporate license holder for 
Diskeeper in 1999. We've upgraded to newer versions of Diskeeper over 
the years, including the latest release: Diskeeper 2008. 

Five versions of the software are offered for businesses, includ¬ 
ing Professional, Professional Premier, Server, Enterprise Server, and 
Administrator. All versions (but Professional) include 1-FAAST (Intel¬ 


ligent File Access Acceleration Sequencing Technology), a feature 
that helps accelerate the programs you use most frequently through 
a special defrag mode that puts those commonly used in files and 
libraries in a specific location on the hard drive that speeds disk access 
substantially. Other nice features include an automatic real-time 
defragmentation feature (that defrags in the background while you 
work), and a FragShield function that keeps your hard drive's MFT 
(Master File Table) and paging file automatically defragged. 

As for things 1 would improve about the software, 1 would like to see 
more companies go with a 'buy one license and use it on three PC's' 
mode of licensing. It would be nice if Diskeeper Corporation followed 
this model. 

I've seen the boot time defrag on Diskeeper 2007 not work on some 
computers using external Firewire drives or USB drives, and this problem 
likely exists in Diskeeper 2008. I've found that the root cause for this prob¬ 
lem isn't Diskeeper: Certain motherboards do not support USB drives or 
Firewire drives until Windows XP boots to a certain point. This is a hard¬ 
ware issue, so potential users of Diskeeper should check their mother¬ 
board BIOS if they're having trouble with the defrag-on-boot option. 

InstantDoc ID 97842 


Reader: 

Glen Martin 
Broadcast Engineer III 

Product: 

Diskeeper 2008 

Company: 

Diskeeper 

Corporation 

Contact: 

www.diskeeper.com 





Great first-time buyer 
discenntsauailable! 

Call (800) 422-7055 for info 


LANroNIX 


www.lantronix.com/branch-office 


IT support at branch offices typically doesn't justify~ 
a dedicated on-site person. But when issues arise, 
quick response is still necessary. Unfortunately, most 
remote management equipment is overkill and 
designed for the high-density data center. 
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For more information: 
winltmag.primal5cript.com 


S A P r E N 

(§)PrimalScript 


SOLUTIONS >::• 

FDR WHEREVER 
YOU WANT TD GD 



Whether you need P2V conversions for one-time 
virtualization implementation or for ongoing 
DR strategies,Vizioncore can set 
you on the right path. 


For more information about 
vRanger Pro with P2V-DR, 
vConverter, or our full lineup 
of software, visit our website at 
www.vizioncore.com 


Vizioncore 


vConverter™ 

• Conversion directly to ESX Server host 

• Quick setup & lightning fast conversion 

• User friendly GUI or CLI for advanced 
level administrators 

• Batch & Schedule modes for automated, 
remote conversions 

• Block-level cloning eliminates risk of data loss 

• Works with leading virtualization platforms 

vRanger Pro with P2V-DR™ 

• Provides P2y VlVdisaster recovery 

• Performs a P2V conversion on schedule 

• Restore physical servers as easy asVMs 

• Ability toV2V aVM with a physical RDM 


REAL WORLD SOLUTIONS FDR 
VIRTUAL INFRASTRUCTURES 


Now you can manago your 
Windows IT Pro accounts ONLINE 

• View subscription info ^ 

• View our Customer Service FAQ 

• Check subscription expiration dates \ 

• Change addresses 

• Print invoices and statements 

• Request 
missing issues 

• Contact a 
Customer 
Service 
representative 

LOGON 
TODAY! 

not available in all geographies 

myaccount.pentontech.com or 
windowsitpro.com/myaccount 

To log on, you will need your customer number from an 
invoice or your magazine’s mailing label. 
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DIRECTORY OF SERVICES 

Windows IT Pro Network 


Ad Index 


Search our network of sites dedicated to hands-on tech¬ 
nical information for IT professionals. 

www.windowsitpro.com 


For detailed information about products in this issue of Windows IT Pro, visit the Web sites listed below. 


COMPANY/URL 


PAGE COMPANY/URL 


PAGE 


Support 

Join our discussion forums. Post your questions and get 
advice from authors, vendors, and other IT professionals. 

www.windowsitpro.com/forums 

News 

Check out the current news and information about 
Microsoft Windows technologies. 

www.wininformant.com 

EMAIL NEWSLETTERS 

Get free NT/2000/XP/2003 news, commentary, and tips 
delivered automatically to your desktop. 

Windows IT Pro UPDATE 
Vista UPDATE 

Windows Tips & Tricks UPDATE 
Wininfo Daily UPDATE 
.NET Briefing 

Exchange & Dutlook UPDATE 
Scripting Central 
Security UPDATE 

SQL Server2005Express UPDATE 
SQL Server Magazine UPDATE 
Windows IT Library UPDATE 
Connected Home EXPRESS 

www.windowsitpro.com/email 

PRO VIP ACCESS 

Exchange & Outlook Pro VIP 

Discover smart solutions for Exchange and 

Outlook administrators. 

www.exchangeprovip.com 

Scripting Pro VIP 

Learn how to create more powerful scripts and get tips 
for automating those tedious administrative tasks. 

www.scriptingprovip.com 

Security Pro VIP 

Discover practical, how-to advice for avoiding and 
solving security problems. 

www.securityprovip.com 


RELATED PRODUCTS 

Custom Reprint Services 

Order reprints of Windows IT Pro articles. Contact Joel 
Kirk atjkirk@penton.com. 

Super CD/VIP 

Get exclusive access to all of our print publications, includ¬ 
ing Windows IT Pro, via the new, banner-free VIP Web site. 

www.windowsitpro.com/sub/vip 

Article Archive CD 

Access every article ever printed in Windows IT Pro 
magazine since September 1995 with this portable and 
speedy tool. 

www.windowsitpro.com/sub/cd 


SQL SERVER MAGAZINE 

Explore the hottest new features of SQL Server, and 
discover practical tips and tools. 

www.sqlmag.com 


www.windowsitpro.com 
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www.WinConnections.com 
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Ctrl+Alt+Del BY JASON BOVBERG 


SEND US YOUR INDUSTRY HUMOR! Email your funny screenshots, favorite end-user moments, and humorous IT-related pics to 
rumors@windowsitpro.com. If we use your submission, you’U receive a Ctrl+Alt+Del coffee mug. 



AVC Free Edition 


T est cannot be started because it already does not ewist. 


OK 


^ Back to the future 




id 


is already running. 


Dctl r.j|i-iiiat:v rtMUter 


VtrsKin 1.C d! tfw Dd DoIkerIei Plairief is Vou epa -iuret^ rumrig vesiori 2Q W^nJkl (nu kkc Id [^^3Dd #k ntnr? 

IX j! CiQgtl I 


OK 


^ Backward-compatible 


^So fast that 
it’s vanished! 


TrendSecure 





The TrendSecure service you requested is currently up and running. Please terminate the service and try again. 


OK 


^ ^ As if it never existed at all 

Techno anachronism 



THE PREVENTER 
OF iNFORMiA^TlON 
SERVICES 


1 r^ADE SOtAE CHANGES 
TO THE NETUJORK THAT 
I ALONE UNDERSTAND. 



by Scott Adams 


I DIDNT HAVE TI^^E 
TO TEST IT, BUT IF 
THERE IS A PROBLEIA, 
IlL BE ON VACATION 
FOR THREE UJEEKS IN 
A RUSSIAN SUBIHARINE 
BELOW THE ARCTIC 
CIRCLE. 



IHV 

SCREEN 

JUST 

WENT 

BLANK. 


LET'S CHALK 
THAT UP TO 
COINCIDENCE. 
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SERVERS. STORAGE, 


SWITCHES. 

Xeon* 

ONE BOX. NO HASSLES. 

/ns/c/e™ 

Powerful. 

Efficient. 



OR $119/MONTH FOR 36 MONTHS' 

Introducing IBM BladeCenter S Express. Now you can 
combine Quad-Core Intel® Xeon® processor-based 
blade servers, storage, switches and management tools 
in one small chassis. It’s easy to set up. Easy to use. 
Easy to manage. It’s a simple way to simplify your IT. 

Erom the people and Business Partners of IBM: 

It’s innovation made easy. 


SIMPLIFY AND MANAGE YOUR I.T. WITH A SINGLE CHASSIS. 



PN:8886E1U _ 

Up to six application blades with the ability to expand to multiple 
virtual blades 

Integrated storage built into the chassis - 3.6TB SAS or 6TB SATA 
3-year customer replaceable unit and on-site limited warranty^ 


IBM BLADECENTER HS21 EXPRESS 

$2,359 (SAVE $249) 

OR $62/MONTH FOR 36 MONTHS' 

PN:8853E1U 



IBM SYSTEM STORAGE DS3300 EXPRESS 

$4,545 (SAVE $450) 

OR $120/MONTH FOR 36 MONTHS' 

PN: 172631E 



Features up to two high-performance Dual-Core or Quad-Core Intel 
Xeon Processors 

1GB standard/16GB maximum memory per blade (32GB with Memory and 
I/O Expansion Unit) 

3-year customer replaceable unit and on-site limited warranty^ 


Support for dual-port and hot-swappable SAS disks at 10,000 and 15,000 
RPM speeds 

Expandable by attaching up to three EXP3000s or a total of 48 hard disk drives 
3-year limited warranty on parts and labor^ 


IBM Express “Bundle and Save” 


= == express 

We bundle our Express systems to give you the 
accessories you need - while saving you money on 

= " =T= advantaqe™ 

the hardware you want. Act now. Available now through 

ibm.com/systems/onebox 

ibm.com and IBM Business Partners. 

1 866-872-3902 (mention 6N8AH01 A) 


1. IBM Global Financing offerings are provided through IBM Credit LLC in the United States and other IBM subsidiaries and divisions worldwide to qualified commercial and government customers. Monthly payments provided are for planning purposes 
only and may vary based on your credif and ofher factors. Lease offer provided is based on an FMV lease of 36 monfhly payments. Other restrictions may apply. Rates and offerings are subjecf to change, extension or withdrawal without notice. 

2. IBM hardware products are manufactured from new parfs, or new and serviceable used parts. Regardless, our warranty terms apply. For a copy of applicable producf warranfies, visif ibm.com/servers/support/machine_warranfies or write to: Warranty 
Information, RO. Box 12195, RTP, NC 27709, Attn: Dept. JDJA/B203. IBM makes no representation or warranty regarding third-party products or services, including those designated as ServerProven®' or ClusterProven® Telephone support may be subject to 
additional charges. For on-site labor, IBM will attempt to diagnose and resolve the problem remotely before sending a fechnician. On-sife warranty is available only for selected components. Optional same-day service response is available on select systems 
at an additional charge. IBM, the IBM logo, IBM Express Advantage, IBM BladeCenter, System x and System Storage are trademarks or registered trademarks of Internafional Business Machines Corporation In the United States and/or other countries. 
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What's on your mind? 

It's a no-brainer. Think Quest. 

Worrying about your Windows infrastructure can be a real headache. Quest eases the pain 
by helping you get more — more performance, more productivity, more reliability and more 
value — from your Microsoft investments. No matter what's on your mind. Quest is the smart 
choice for Windows management. 

And think about this: Quest and its family of Windows management solutions have won 19 
industry awards, including Microsoft's Global ISV Partner of the Year, in 2007 alone. That's 
because we're committed to product innovation, customer support and our Microsoft 
partnership. 

Get more. Think Quest. 


Find out how Quest takes the pain out of Windows management and read our new 
white paper, "Microsoft Active Directory Backup and Recovery in Windows Server 2008” 

at www.quest.com/think 
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